Authentication method and related apparatus

ABSTRACT

This disclosure provides an authentication method and a related apparatus. The method includes: A terminal device receives a first received encrypted reference signal corresponding to a first sent encrypted reference signal that is generated by an access network device using a pilot key and a first reference signal and transmitted through a channel; the terminal device performs channel estimation by using the first received encrypted reference signal and the first sent encrypted reference signal, to obtain downlink channel state information; and the terminal device sends first information to the access network device, where the first information includes the downlink channel state information, to effectively defend against man-in-the-middle attacks.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of International Application No.PCT/CN2021/136248, filed on Dec. 8, 2021, which claims priority toChinese Patent Application No. 202011511834.0, filed on Dec. 18, 2020.The disclosures of the aforementioned applications are herebyincorporated by reference in their entireties.

TECHNICAL FIELD

This disclosure relates to the communication field, and in particular,to an authentication method and a related apparatus.

BACKGROUND

In a man-in-the-middle attack model, an attacker acts as a maliciousrelay, mainly including a rogue base station and rogue user equipment.The attacker is capable of intercepting and sending a radio signal at aspecific frequency. Man-in-the-middle attacks mainly include atransparent forwarding attack and a user location spoofing attack. Thetransparent forwarding attack is as follows: The rogue base station andthe rogue user transparently forward authentication signaling between anauthorized user and an authorized base station. The rogue base stationcan be authenticated by the authorized user. After the authorized usersuccessfully accesses the rogue base station, the rogue base station canchoose to discard some uplink or downlink messages to cause a denial ofservice (DoS) of the user, steal sensitive information such as anaccount and a password of the authorized user, and tamper with a domainname system (Domain Name System, DNS) messages to direct the authorizeduser to a malicious website or the like. The user location spoofingattack is as follows: An authorized user is in a geographical locationA, a visiting network (visiting network) covered by the geographicallocation A is a visiting network A, and a visiting network covered by ageographical location B is a visiting network B. The authorized user ofthe visiting network A successfully accesses the visiting network Bthrough a man-in-the-middle, and an operator considers that the user isin the geographical location B.

The currently used authentication method cannot defend against theman-in-the-middle attacks very well. As a result, it is necessary tostudy a solution that can defend against the man-in-the-middle attacksbetter.

SUMMARY

This disclosure provides an authentication method and a relatedapparatus, to defend against a man-in-the-middle attack.

According to a first aspect, an embodiment of this disclosure providesan authentication method, where the method includes: A terminal devicereceives a first received encrypted reference signal, where the firstreceived encrypted reference signal includes a signal received by theterminal device when a first sent encrypted reference signal sent by anaccess network device is transmitted through a channel, the first sentencrypted reference signal is obtained by using a pilot key and a firstreference signal, and the pilot key is obtained by using a private keyof the terminal device and a public key on a network device side, or thepilot key is obtained by using a private key on the network device sideand a public key of the terminal device; the terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, to obtain downlinkchannel state information; and the terminal device sends firstinformation to the access network device, where the first informationincludes the downlink channel state information. The public key on thenetwork device side may be a public key of the access network device, ormay be a public key of a non-access stratum network device. The pilotkey is a key for encrypting a pilot signal (that is, a referencesignal).

The first sent encrypted reference signal sent by the access networkdevice is obtained by using the pilot key and the first referencesignal. In other words, the first sent encrypted reference signal can begenerated only when the pilot key is known. The terminal device canobtain or generate a pilot key, but an attacker (for example, a roguebase station or a rogue terminal device) cannot obtain the pilot key.Therefore, the terminal device can perform channel estimation by usingthe received first received encrypted reference signal to obtaindownlink channel state information. The downlink channel stateinformation can accurately represent a status of a downlink channelbetween the access network device and the terminal device. However,because the attacker cannot obtain the pilot key, even if the attackersteals the first received encrypted reference signal, the attackercannot implement channel estimation. In other words, the attacker cannotobtain the downlink channel state information that can accuratelyrepresent the status of the downlink channel between the access networkdevice and the terminal device. It should be understood that if downlinkchannel state information sent by a terminal device can accuratelyrepresent a status of a downlink channel between an access networkdevice and the terminal device, the terminal device is definitely anauthorized terminal device instead of an attacker.

In this embodiment of this disclosure, the terminal device performschannel estimation by using the first sent encrypted reference signaland the first received encrypted reference signal, and sends downlinkchannel state information obtained by performing channel estimation, toprove that the terminal device is an authorized terminal device. Becausethe attacker cannot obtain the first sent encrypted reference signal,the attacker cannot obtain, through channel estimation, the downlinkchannel state information that can accurately represent the channelbetween the access network device and the terminal device. Therefore,the terminal device sends the downlink channel state information to theaccess network device, to effectively defend against a man-in-the-middleattack.

In a possible implementation, the terminal device and the access networkdevice may pre-agree on a used encrypted reference signal, for example,a first sent encrypted reference signal. Specifically, the terminaldevice considers a reference signal in any signal sent by the accessnetwork device as the first sent encrypted reference signal by default.For example, the terminal device and the access network device pre-agreethat the signal sent by the access network device carries the first sentencrypted reference signal, and the terminal device performs channelestimation by using the first sent encrypted reference signal (known)and a signal received by the terminal device when the first sentencrypted reference signal is transmitted through a channel. Theterminal device may obtain, by using a preset interaction policy, thefirst sent encrypted reference signal sent by the access network device.Specifically, the access network device may send one piece of downlinkindication information, and the downlink indication informationindicates the first sent encrypted reference signal; or the accessnetwork device may indicate, to the terminal device by using signalingsuch as a master information block (master information block, MIB)message or radio resource control (radio resource control, RRC)signaling, that the reference signal in the signal sent by the accessnetwork device is the first sent encrypted reference signal. It shouldbe understood that the terminal device may learn, in a plurality ofmanners, that the reference signal in the signal sent by the accessnetwork device is the first sent encrypted reference signal. This is notlimited in this disclosure.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thefirst sent encrypted reference signal includes at least two same firstencrypted sequences, and the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; or the firstsent encrypted reference signal includes a hash chain, the hash chainincludes at least two binary sequences, a first binary sequence in thehash chain is a second encrypted sequence, and the second encryptedsequence is obtained by encrypting the first reference signal using thepilot key.

In this implementation, three manners of obtaining the first sentencrypted reference signal by using the pilot key and the firstreference signal are listed, but this implementation is not limited toobtaining the first sent encrypted reference signal in the threemanners. The first reference signal may be a demodulation referencesignal (demodulation reference signal, DM-RS), a channel stateinformation reference signal (channel state information referencesignal, CSI-RS), a sounding reference signal (sounding reference signal,SRS), or another reference signal. The encrypting the first referencesignal by using the pilot key may be: encrypting the first referencesignal by using an encryption algorithm and using the pilot key as akey. The encryption algorithm may be any cryptographic algorithm, forexample, an Advanced Encryption Standard (advanced encryption standard,AES) encryption algorithm. For example, RS1 represents the firstreference signal, PRS1 represents the first sent encrypted referencesignal, and PRS1=E_(AES)(RS1); and E_(AES( )) is the AES encryptionalgorithm. In this example, the first reference signal is a binarysequence (for example, a rogue random sequence), that is, a sequence ina form of binary bits 0 and 1. The first sent encrypted reference signalis a binary sequence. The first encrypted sequence may be a binarysequence obtained by encrypting the first reference signal by using anencryption algorithm and using the pilot key as a key. The secondencrypted sequence may be the same as the first encrypted sequence. In apossible implementation, a non-first binary sequence in the hash chainsatisfies the following formula:

hash_(i)(E _(AES)(RS1))=hash₁ ^(i-1)(E _(AES)

where hash_(i)(E_(AES)(RS1)) represents an i^(th) binary sequence in thehash chain, hash₁ ^(i-1)(E_(AES)(RS1)) represents a binary sequenceobtained by performing (i−1) times of hash operations on a first binarysequence E_(AES)(RS1) in the hash chain, and i is an integer greaterthan 1.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the first sent encrypted reference signal occupies few bits. Asolution in which the first sent encrypted reference signal includes atleast two same first encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the first sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, before the terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, the method furtherincludes: The terminal device generates, when working in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and the terminal device generates, when working in a secondsecurity mode, the first sent encrypted reference signal including ahash chain, where the hash chain includes at least two binary sequences,a first binary sequence in the hash chain is a second encryptedsequence, the second encrypted sequence is obtained by encrypting thefirst reference signal using the pilot key, and security of the firstsecurity mode is lower than security of the second security mode.

The terminal device may work in at least two security modes withdifferent security, for example, the first security mode and the secondsecurity mode. When the terminal device works in different securitymodes, sent signals carry different encrypted reference signals.Correspondingly, the access network device may also work in at least twosecurity modes with different security, for example, the first securitymode and the second security mode. The terminal device may freely switchbetween different security modes, for example, switch from the firstsecurity mode to the second security mode or switch from the secondsecurity mode to the first security mode. The access network device mayindicate, to the terminal device by using the downlink controlinformation, a security mode in which the access network device works.

In this implementation, the terminal device generates, when working inthe first security mode, the first sent encrypted reference signal thatincludes at least two same first encrypted sequences, where a hashoperation does not need to be performed, and a calculation amount issmall, to be applicable to a scenario with high security; and theterminal device generates, when working in the second security mode, thefirst sent encrypted reference signal that includes at least a hashchain, where a plurality of times of hash operations are performed, andsecurity is high, to be applicable to a scenario with low security.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key of theterminal device and the public key on the network device side.

The shared key K_(m) may be derived from the public key K_(p) ^(HN) onthe network device side and the private key K_(s) ^(UE) of the terminaldevice (that is, on the terminal device side): K_(m)=derive(K_(p) ^(HN),K_(s) ^(UE)), and derive(⋅) is a key derivation method. The terminaldevice may derive the shared key by using the private key of theterminal device and the public key on the network device side. Theaccess network device or the first network device may derive the sharedkey by using the public key of the terminal device and the private keyon the network device side. For example, the first network device, forexample, a unified data management (unified data management, UDM)derives the shared key K_(m)=derive(K_(p) ^(UE), K_(s) ^(HN)) by usingthe public key K_(p) ^(UE) of the terminal device and the private keyK_(s) ^(HN) on the network device side, and derive(⋅) is a keyderivation method. In other words, the terminal device may derive theshared key by using the private key of the terminal device and thepublic key on the network device side; and the access network device orthe first network device may derive the shared key by using the privatekey on the network device side and the public key of the terminaldevice. The terminal device and the access network device may pre-agreeon a used key generation method. The terminal device may perform aone-way hash function operation on the shared key K_(m) to obtain thepilot key K_(s), that is, K_(s)=hash(K_(m)), and hash (⋅) is a hashfunction, and may obtain a pilot key of a required length. A one-wayhash function is a function that changes an input message string of anarbitrary length into an output string of a fixed length from which itis difficult to obtain the input string. This output string is referredto as a hash value of the message, and is generally for generating amessage digest and encrypting a key.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the first information further includes asecond sent encrypted reference signal, and the second sent encryptedreference signal is obtained by using the pilot key and a secondreference signal.

The second sent encrypted reference signal is used by the access networkdevice to perform channel estimation on an uplink channel between theaccess network device and the terminal device.

In this implementation, the second sent encrypted reference signal iscarried in the first information, so that an attacker cannot implementchannel estimation, thereby defending against a man-in-the-middleattack.

In a possible implementation, before the terminal device receives thefirst received encrypted reference signal, the method further includes:The terminal device receives first indication information, where thefirst indication information indicates a location of the first receivedencrypted reference signal that is in second information and that is tobe received by the terminal device.

The first indication information may be downlink control information(downlink control information, DCI). The first indication informationmay include a first encrypted reference signal index. The firstencrypted reference signal index indicates the location of the firstreceived encrypted reference signal that is in the second informationand that is to be received by the terminal device. The first receivedencrypted reference information is included in the second information,and the operation of receiving, by the terminal device, the firstreceived encrypted reference signal may be an operation of receiving thesecond information. After receiving the second information, the terminaldevice may obtain the first received encrypted reference signal from thesecond information based on the first indication information. Theterminal device may store a correspondence between an index and alocation of an encrypted reference signal, and may determine, by usingthe correspondence, a location of an encrypted reference signalindicated by any encrypted reference signal index. For example, thefirst indication information received by the terminal device includes anencrypted reference signal index 1, and the terminal device obtains asignal that is in a first location and in the second information toobtain the first received encrypted reference signal. For anotherexample, the first indication information received by the terminaldevice includes an encrypted reference signal index 2, and the terminaldevice obtains a signal that is in a second location and in the secondinformation, to obtain the first received encrypted reference signal.

In this implementation, the first indication information indicates thelocation of the first received encrypted reference signal that is in thesecond information and that is to be received by the terminal device,and the terminal device can accurately obtain, based on the firstindication information, the location of the first received encryptedreference signal that is in the second information and that is to bereceived.

In a possible implementation, the first indication information furtherincludes at least one of the following: a first encrypted referencesignal type, a first encrypted reference signal length, a firstencrypted activation indication, and a first security mode indication,where the first encrypted reference signal type is a type of the firstreceived encrypted reference signal, the first encrypted referencesignal length indicates a length of the first received encryptedreference signal, the first encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the first security mode indicationindicates an encryption manner of the first received encrypted referencesignal.

In this implementation, the first indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, that the terminal device performs channelestimation by using the first received encrypted reference signal andthe first sent encrypted reference signal, to obtain the downlinkchannel state information includes: The terminal device performs channelestimation by using the first received encrypted reference signal andthe first sent encrypted reference signal, to obtain a downlink channelestimation value; and uses first strength characteristic information andfirst phase characteristic information that are extracted based on thedownlink channel estimation value as the downlink channel stateinformation.

The terminal device may perform channel estimation by using a leastsquare method, a minimum mean square error method, or the like. In thisimplementation, the least square method is used as an example. It isassumed that a frequency domain response corresponding to a first sentencrypted reference signal PRS generated by an access network device(for example, a base station) is X(k), and k is a subcarrier sequencenumber. Because the terminal device encrypts the first reference signalby using the pilot key K_(s) to obtain the PRS, X(k) is known to theterminal device. Assuming that a frequency domain response of anencrypted reference signal (that is, a first received encryptedreference signal) received by the terminal device is Y(k), a formula forperforming channel estimation by the terminal device to obtain adownlink channel estimation value is as follows:

${H_{down}(k)} = {\frac{Y(k)}{X(k)} = {{❘{H_{down}(k)}❘}e^{j{\theta_{down}(k)}}}}$

where H_(down)(k) represents the downlink channel estimation value.

The terminal device extracts the first strength characteristicinformation |H_(down)(k)| and the first phase characteristic informationθ_(down)(k) based on the downlink channel estimation value as thedownlink channel state information CSI_(down). An extraction formula isas follows:

|H _(down)(k)|=√{square root over (real(H _(down)(k))²+imag(H_(down)(k))²)}

θ_(down)(k)=arctan(imag(H _(down)(k))/real(H _(down)(k)))

where |H_(down)(k)| represents the first intensity characteristicinformation, and θ_(down)(k) represents the first phase characteristicinformation.

In this implementation, the strength characteristic information and thephase characteristic information are extracted by using the downlinkchannel estimation value, so that downlink channel state informationthat accurately represents a downlink channel state can be obtained.

According to a second aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: An accessnetwork device receives a second received encrypted reference signal,where the second received encrypted reference signal includes a signalreceived by the access network device when a second sent encryptedreference signal sent by a terminal device is transmitted through achannel, the second sent encrypted reference signal is obtained by usinga pilot key and a second reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device; theaccess network device performs channel estimation by using the secondreceived encrypted reference signal and the second sent encryptedreference signal, to obtain uplink channel state information; and theaccess network device sends channel authentication information to afirst network device, where the channel authentication information isfor verifying whether a message received by the access network devicefrom the terminal device is valid or invalid, and the channelauthentication information is obtained by using the uplink channel stateinformation.

The access network device and the terminal device may pre-agree on aused encrypted reference signal, for example, a second sent encryptedreference signal. Specifically, the access network device considers areference signal in any signal sent by the terminal device as the secondsent encrypted reference signal by default. The access network devicemay obtain, by using a preset interaction policy, the second sentencrypted reference signal sent by the terminal device. Specifically,the terminal device may send one piece of uplink indication informationto the access network device, and the uplink indication informationindicates the second sent encrypted reference signal. It should beunderstood that the access network device may learn, in a plurality ofmanners, that the reference signal in the signal sent by the terminaldevice is the second sent encrypted reference signal. This is notlimited in this disclosure. The channel authentication information isgenerated by using the uplink channel state information. The channelauthentication information may be generated by using the uplink channelstate information and downlink channel state information that is fromthe terminal device, and the downlink channel state informationrepresents a state of a downlink channel between the terminal device andthe access network device.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information. Then, the channel authenticationinformation is generated by using the uplink channel state information,and the channel authentication information is sent to the first networkdevice, so that the first network device verifies whether the messagereceived by the access network device from the terminal device is validor invalid, and can defend against a man-in-the-middle attack.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thesecond sent encrypted reference signal includes at least two same thirdencrypted sequences, and the third encrypted sequence is obtained byencrypting the second reference signal by using the pilot key; or thesecond sent encrypted reference signal includes a hash chain, the hashchain includes at least two binary sequences, a first binary sequence inthe hash chain is a fourth encrypted sequence, and the fourth encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the second sent encrypted reference signal occupies few bits. Asolution in which the second sent encrypted reference signal includes atleast two same third encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the second sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key on thenetwork device side and the public key of the terminal device.

The access network device may receive the pilot key generated by thefirst network device. For example, the first network device, forexample, a UDM derives the shared key K_(m)=derive(K_(p) ^(UE), K_(s)^(HN)) by using the public key K_(p) ^(UE) of the terminal device andthe private key K_(s) ^(HN) on the network device side, and derive(⋅) isa key derivation method; and a one-way hash function operation isperformed on the shared key K_(m) to obtain the pilot key K_(s), thatis, K_(s)=hash(K_(m)), and hash (⋅) is a hash function. The accessnetwork device may receive the shared key K_(m) generated by the firstnetwork device, and perform a one-way hash function operation on theshared key K_(m) to obtain the pilot key K_(s), that is,K_(s)=hash(K_(m)), and hash (⋅) is a hash function. The access networkdevice may encrypt the first reference signal by using any encryptionalgorithm and using the pilot key as a key.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, before the access network device sends thechannel authentication information, the method further includes: Theaccess network device demodulates first information based on the uplinkchannel state information, to obtain downlink channel state information;and the access network device generates the channel authenticationinformation based on the uplink channel state information and thedownlink channel state information.

Demodulation is a process of recovering a message from a modulatedsignal that carries the message. In various information transmission orprocessing systems, a transmit end (corresponding to the terminaldevice) modulates a carrier with a message to be transmitted, togenerate a signal carrying the message. A receive end (corresponding tothe access network device) needs to recover the transmitted messagebefore the message can be used. This is referred to as demodulation. Thefirst information received by the access network device may carry thedownlink channel state information and the second received encryptedreference signal. After completing channel estimation, the accessnetwork device may demodulate the first information by using a channelestimation result (namely, uplink channel state information), to obtaindownlink channel state information. That the access network devicegenerates the channel authentication information based on the uplinkchannel state information and the downlink channel state information maybe: using a correlation coefficient or consistency between the uplinkchannel state information and the downlink channel state information asthe channel authentication information. The correlation coefficientrepresents a degree of similarity between the uplink channel stateinformation and the downlink channel state information, and a largercorrelation coefficient indicates that the uplink channel stateinformation and the downlink channel state information are more similar.It should be understood that, when the authorized access network deviceperforms data transmission with the authorized terminal device, anuplink channel obtained by performing channel estimation by theauthorized access network device is necessarily similar to a downlinkchannel obtained by performing channel estimation by the authorizedterminal device. For example, if the channel authentication information(for example, a correlation coefficient) is greater than a presetthreshold, it indicates that the message received by the access networkdevice from the terminal device is valid; otherwise, it indicates thatthe message received by the access network device from the terminaldevice is invalid. Therefore, the channel authentication information maybe for verifying whether the message received by the access networkdevice from the terminal device is valid or invalid.

In this implementation, the channel authentication information thatrepresents a similarity between the downlink channel estimated by theterminal device and the uplink channel estimated by the access networkdevice is generated based on the uplink channel state information andthe downlink channel state information, so that the channelauthentication information is for determining whether the messagereceived by the access network device from the terminal device is validor invalid.

In a possible implementation, the method further includes: The accessnetwork device sends second information to the terminal device, wherethe second information includes a first sent encrypted reference signal,and the first sent encrypted reference signal is obtained by using thepilot key and a first reference signal.

In this implementation, the first sent encrypted reference signal iscarried in the second information, so that an attacker cannot performchannel estimation, thereby defending against a man-in-the-middleattack.

In a possible implementation, the method further includes: The accessnetwork device generates, when working in a first security mode, thefirst sent encrypted reference signal including at least two same firstencrypted sequences, where the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; and theaccess network device generates, when working in a second security mode,the first sent encrypted reference signal including a hash chain, wherethe hash chain includes at least two binary sequences, a first binarysequence in the hash chain is a second encrypted sequence, the secondencrypted sequence is obtained by encrypting the first reference signalusing the pilot key, and security of the first security mode is lowerthan security of the second security mode.

The access network device may work in at least two security modes withdifferent security, for example, the first security mode and the secondsecurity mode. When the access network device works in differentsecurity modes, different encrypted reference signals may be generated.Correspondingly, the terminal device may also work in at least twosecurity modes with different security, for example, the first securitymode and the second security mode. The access network device may freelyswitch between different security modes, for example, switch from thefirst security mode to the second security mode or switch from thesecond security mode to the first security mode. The access networkdevice may indicate, to the terminal device by using the downlinkcontrol information, a security mode in which the access network deviceworks.

In this implementation, the access network device generates, whenworking in the first security mode, the first sent encrypted referencesignal that includes at least two same first encrypted sequences, wherea hash operation does not need to be performed, and a calculation amountis small, to be applicable to a scenario with high security; and theaccess network device generates, when working in the second securitymode, the first sent encrypted reference signal that includes at least ahash chain, where a plurality of times of hash operations are performed,and security is high, to be applicable to a scenario with low security.

In a possible implementation, before the access network device receivesthe second received encrypted reference signal, the method furtherincludes: The access network device receives second indicationinformation, where the second indication information indicates alocation of the second received encrypted reference signal that is infirst information and that is to be received by the access networkdevice.

The second indication information may be uplink control information(uplink control information, UCI). The second indication information mayinclude a second encrypted reference signal index. The second encryptedreference signal index indicates the location of the second receivedencrypted reference signal that is in the first information and that isto be received by the access network device. The second receivedencrypted reference information is included in the first information,and the operation of receiving, by the access network device, the secondreceived encrypted reference signal may be an operation of receiving thefirst information. After receiving the first information, the accessnetwork device may obtain the second received encrypted reference signalfrom the first information based on the second indication information.The access network device may store a correspondence between an indexand a location of an encrypted reference signal, and may determine, byusing the correspondence, a location of an encrypted reference signalindicated by any encrypted reference signal index. For example, thesecond indication information received by the access network deviceincludes an encrypted reference signal index 3, and the access networkdevice obtains a signal that is in a third location and in the firstinformation, to obtain the second received encrypted reference signal.For another example, the second indication information received by theaccess network device includes an encrypted reference signal index 4,and the access network device obtains a signal that is in a fourthlocation and in the first information, to obtain the second receivedencrypted reference signal.

In this implementation, the access network device can accurately obtain,based on the second indication information, a location of the secondreceived encrypted reference signal that is in first information andthat is to be received.

In a possible implementation, the second indication information furtherincludes at least one of the following: a second encrypted referencesignal type, a second encrypted reference signal length, a secondencrypted activation indication, and a second security mode indication,where the second encrypted reference signal type is a type of the secondreceived encrypted reference signal, the second encrypted referencesignal length indicates a length of the second received encryptedreference signal, the second encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the second security mode indicationindicates an encryption manner of the second received encryptedreference signal.

The second encrypted reference signal type may be a DM-RS, an SRS, orthe like. The second encrypted reference signal length indicates alength of the second received encrypted reference signal. For example,if the length of the second encrypted reference signal is K, itindicates that the encrypted reference signal to be sent by the accessnetwork device occupies K bits, and K is an integer greater than 1. Ifthe length of the second encrypted reference signal is F, it indicatesthat the encrypted reference signal to be sent by the access networkdevice occupies F bits, and F is an integer greater than 1. The secondsecurity mode indication may indicate an encryption manner of anencrypted reference signal to be sent by the access network device. Forexample, when the second security mode indication is 1, the encryptedreference signal to be sent by the access network device includes atleast two same third encrypted sequences, and the third encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key. For another example, when the second security modeindication is 2, the encrypted reference signal to be sent by the accessnetwork device includes a hash chain, and the hash chain includes atleast two binary sequences. A first binary sequence in the hash chain isa fourth encrypted sequence, and the fourth encrypted sequence isobtained by encrypting the second reference signal by using the pilotkey. The second encryption activation indication may indicate whetherthe terminal device sends an encrypted reference signal or anunencrypted reference signal. In some communication scenarios with a lowsecurity requirement, the second encryption activation indicationindicates the terminal device to send an unencrypted reference signal.In some communication scenarios with a high security requirement, thesecond encryption activation indication indicates the terminal device tosend an encrypted reference signal.

In this implementation, the second indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, that the access network device performschannel estimation by using the second received encrypted referencesignal and the second sent encrypted reference signal, to obtain theuplink channel state information includes: The access network deviceperforms channel estimation by using the second received encryptedreference signal and the second sent encrypted reference signal, toobtain an uplink channel estimation value; and uses second strengthcharacteristic information and second phase characteristic informationthat are extracted based on the uplink channel estimation value as theuplink channel state information.

The access network device may perform channel estimation by using aleast square method, a minimum mean square error method, or the like. Inthis implementation, the least square method is used as an example. Itis assumed that a frequency domain response corresponding to a secondsent encrypted reference signal PRS generated by a terminal device (forexample, a mobile phone) is X′(k), and k is a subcarrier sequencenumber. Because the access network device encrypts the second referencesignal by using the pilot key K_(s) to obtain the PRS, X′(k) is known tothe access network device. Assuming that a frequency domain response ofan encrypted reference signal (that is, a second received encryptedreference signal) received by the access network device is Y′(k), aformula for performing channel estimation by the access network deviceto obtain an uplink channel estimation value is as follows:

${H_{up}(k)} = {\frac{Y^{\prime}(k)}{X^{\prime}(k)} = {{❘{H_{up}(k)}❘}e^{j{\theta_{up}(k)}}}}$

where H_(up)(k) represents the uplink channel estimation value.

The access network device extracts the second strength characteristicinformation |H_(up)(k)| and the second phase characteristic informationθ_(up)(k) based on the uplink channel estimation value as the uplinkchannel state information CSI_(up). An extraction formula is as follows:

|H _(up)(k)|=√{square root over (real(H _(ip)(k))²+imag(H _(ip)(k))²)}

θ_(up)(k)=arctan(imag(H _(up)(k))/real(H _(up)(k)))

where |H_(up)(k)| represents the second intensity characteristicinformation, and θ_(up)(k) represents the second phase characteristicinformation.

In this implementation, the second strength characteristic informationand the second phase characteristic information are extracted by usingthe uplink channel estimation value, so that uplink channel stateinformation that accurately represents an uplink channel state can beobtained.

According to a third aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: A terminaldevice receives an authentication request, where the authenticationrequest carries a first received encrypted reference signal, the firstreceived encrypted reference signal includes a signal received by theterminal device when a first sent encrypted reference signal sent by anaccess network device is transmitted through a channel, the first sentencrypted reference signal is obtained by using a pilot key and a firstreference signal, and the pilot key is obtained by using a private keyof the terminal device and a public key on a network device side, or thepilot key is obtained by using a private key on the network device sideand a public key of the terminal device; the terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, to obtain downlinkchannel state information; and the terminal device sends anauthentication response to the access network device, where theauthentication response includes the downlink channel state information.The public key on the network device side may be a public key of theaccess network device, or may be a public key of a non-access stratumnetwork device. The pilot key is a key for encrypting a pilot signal(that is, a reference signal).

The authentication request (authentication request) is signaling sent bythe access network device to the terminal device. The authenticationresponse (authentication request) may be understood as signaling fedback to the access network device for the authentication request(authentication request).

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information; and generates channel authenticationinformation by using the uplink channel state information, to verifywhether a message received by the access network device from theterminal device is valid or invalid, that is, defend against aman-in-the-middle attack.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thefirst sent encrypted reference signal includes at least two same firstencrypted sequences, and the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; or the firstsent encrypted reference signal includes a hash chain, the hash chainincludes at least two binary sequences, a first binary sequence in thehash chain is a second encrypted sequence, and the second encryptedsequence is obtained by encrypting the first reference signal using thepilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the first sent encrypted reference signal occupies few bits. Asolution in which the first sent encrypted reference signal includes atleast two same first encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the first sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, before the terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, the method furtherincludes: The terminal device generates, when working in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and the terminal device generates, when working in a secondsecurity mode, the first sent encrypted reference signal including ahash chain, where the hash chain includes at least two binary sequences,a first binary sequence in the hash chain is a second encryptedsequence, the second encrypted sequence is obtained by encrypting thefirst reference signal using the pilot key, and security of the firstsecurity mode is lower than security of the second security mode.

In this implementation, the terminal device generates, when working inthe first security mode, the first sent encrypted reference signal thatincludes at least two same first encrypted sequences, where a hashoperation does not need to be performed, and a calculation amount issmall, to be applicable to a scenario with high security; and theterminal device generates, when working in the second security mode, thefirst sent encrypted reference signal that includes at least a hashchain, where a plurality of times of hash operations are performed, andsecurity is high, to be applicable to a scenario with low security.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key of theterminal device and the public key on the network device side.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the authentication response furtherincludes a second sent encrypted reference signal, and the second sentencrypted reference signal is obtained by using the pilot key and asecond reference signal.

In this implementation, the second sent encrypted reference signal iscarried in the authentication response, so that an attacker cannotimplement channel estimation, thereby defending against aman-in-the-middle attack.

In a possible implementation, before the terminal device receives theauthentication request, the method further includes: The terminal devicereceives first indication information, where the first indicationinformation indicates a location of the first received encryptedreference signal that is in the authentication request and that is to bereceived by the terminal device.

In this implementation, the first indication information indicates thelocation of the first received encrypted reference signal that is in theauthentication request and that is to be received by the terminaldevice, and the terminal device can accurately obtain, based on thefirst indication information, the location of the first receivedencrypted reference signal that is in the second information and that isto be received.

In a possible implementation, the first indication information furtherincludes at least one of the following: a first encrypted referencesignal type, a first encrypted reference signal length, a firstencrypted activation indication, and a first security mode indication,where the first encrypted reference signal type is a type of the firstreceived encrypted reference signal, the first encrypted referencesignal length indicates a length of the first received encryptedreference signal, the first encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the first security mode indicationindicates an encryption manner of the first received encrypted referencesignal.

In this implementation, the first indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, that the terminal device performs channelestimation by using the first received encrypted reference signal andthe first sent encrypted reference signal, to obtain the downlinkchannel state information includes: The terminal device performs channelestimation by using the first received encrypted reference signal andthe first sent encrypted reference signal, to obtain a downlink channelestimation value; and uses first strength characteristic information andfirst phase characteristic information that are extracted based on thedownlink channel estimation value as the downlink channel stateinformation.

In this implementation, the strength characteristic information and thephase characteristic information are extracted by using the downlinkchannel estimation value, so that downlink channel state informationthat accurately represents a downlink channel state can be obtained.

In a possible implementation, before the terminal device receives theauthentication request, the method further includes: The terminal deviceencrypts (for example, symmetrically encrypts) a subscription permanentidentifier SUPI by using the shared key, to obtain a subscriptionconcealed identifier SUCI; and the terminal device sends a registrationrequest, where the registration request includes the SUCI and the publickey of the terminal device.

In this implementation, the SUPI is encrypted by using the shared key,so that a risk that the SUPI is decrypted by an attacker can be reduced.

According to a fourth aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: An accessnetwork device receives an authentication response, where theauthentication response carries a second received encrypted referencesignal, the second received encrypted reference signal includes a signalreceived by the access network device when a second sent encryptedreference signal sent by a terminal device is transmitted through achannel, the second sent encrypted reference signal is obtained by usinga pilot key and a second reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device; theaccess network device performs channel estimation by using the secondreceived encrypted reference signal and the second sent encryptedreference signal, to obtain uplink channel state information, where theuplink channel state information is for generating channelauthentication information; and the access network device sends channelauthentication information to a first network device, where the channelauthentication information is for verifying whether a message receivedby the access network device from the terminal device is valid orinvalid, and the channel authentication information is obtained by usingthe uplink channel state information.

That the access network device sends the channel authenticationinformation may be: The access network device sendsNausf_UEAuthentication_Authenticate Request signaling that carries thechannel authentication information, where the signaling may furtherinclude a response RES*.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information. Then, the channel authenticationinformation is generated by using the uplink channel state information,and the channel authentication information is sent to the first networkdevice, so that the first network device verifies whether the messagereceived by the access network device from the terminal device is validor invalid, and can defend against a man-in-the-middle attack.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thesecond sent encrypted reference signal includes at least two same thirdencrypted sequences, and the third encrypted sequence is obtained byencrypting the second reference signal by using the pilot key; or thesecond sent encrypted reference signal includes a hash chain, the hashchain includes at least two binary sequences, a first binary sequence inthe hash chain is a fourth encrypted sequence, and the fourth encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the second sent encrypted reference signal occupies few bits. Asolution in which the second sent encrypted reference signal includes atleast two same third encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the second sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key on thenetwork device side and the public key of the terminal device.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, before the access network device sends thechannel authentication information, the method further includes: Theaccess network device demodulates the authentication response based onthe uplink channel state information, to obtain downlink channel stateinformation; and the access network device generates the channelauthentication information based on the uplink channel state informationand the downlink channel state information.

In this implementation, the access network device generates, based onthe uplink channel state information and the downlink channel stateinformation, the channel authentication information that represents asimilarity between the downlink channel estimated by the terminal deviceand the uplink channel estimated by the access network device, so thatthe channel authentication information is for determining whether themessage received by the access network device from the terminal deviceis valid or invalid.

In a possible implementation, the method further includes: The accessnetwork device sends an authentication request to the terminal device,where the authentication request includes a first sent encryptedreference signal, and the first sent encrypted reference signal isobtained by using the pilot key and a first reference signal.

In this implementation, the first sent encrypted reference signal iscarried in the authentication request, so that an attacker cannotperform channel estimation, thereby defending against aman-in-the-middle attack.

In a possible implementation, the method further includes: The accessnetwork device generates, when working in a first security mode, thefirst sent encrypted reference signal including at least two same firstencrypted sequences, where the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; and theaccess network device generates, when working in a second security mode,the first sent encrypted reference signal including a hash chain, wherethe hash chain includes at least two binary sequences, a first binarysequence in the hash chain is a second encrypted sequence, the secondencrypted sequence is obtained by encrypting the first reference signalusing the pilot key, and security of the first security mode is lowerthan security of the second security mode.

In this implementation, the access network device generates, whenworking in the first security mode, the first sent encrypted referencesignal that includes at least two same first encrypted sequences, wherea hash operation does not need to be performed, and a calculation amountis small, to be applicable to a scenario with high security; and theaccess network device generates, when working in the second securitymode, the first sent encrypted reference signal that includes at least ahash chain, where a plurality of times of hash operations are performed,and security is high, to be applicable to a scenario with low security.

In a possible implementation, before the access network device receivesthe authentication response, the method further includes: The accessnetwork device receives second indication information, where the secondindication information indicates a location of the second receivedencrypted reference signal that is in the authentication response andthat is to be received by the access network device.

In this implementation, the second indication information indicates thelocation of the second received encrypted reference signal that is inthe authentication response and that is to be received by the accessnetwork device, and the access network device can accurately obtain,based on the second indication information, the location of the secondreceived encrypted reference signal that is in the first information andthat is to be received.

In a possible implementation, the second indication information furtherincludes at least one of the following: a second encrypted referencesignal type, a second encrypted reference signal length, a secondencrypted activation indication, and a second security mode indication,where the second encrypted reference signal type is a type of the secondreceived encrypted reference signal, the second encrypted referencesignal length indicates a length of the second received encryptedreference signal, the second encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the second security mode indicationindicates an encryption manner of the second received encryptedreference signal.

In this implementation, the second indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, that the access network device performschannel estimation by using the second received encrypted referencesignal and the second sent encrypted reference signal, to obtain theuplink channel state information includes: The access network deviceperforms channel estimation by using the second received encryptedreference signal and the second sent encrypted reference signal, toobtain an uplink channel estimation value; and uses second strengthcharacteristic information and second phase characteristic informationthat are extracted based on the uplink channel estimation value as theuplink channel state information.

In this implementation, the second strength characteristic informationand the second phase characteristic information are extracted by usingthe uplink channel estimation value, so that uplink channel stateinformation that accurately represents an uplink channel state can beobtained.

In a possible implementation, the method further includes: The accessnetwork device receives a registration request from the terminal device,where the registration request carries a subscription concealedidentifier SUCI and the public key of the terminal device; and theaccess network device forwards the SUCI and the public key of theterminal device to a second network device, or the access network devicegenerates the shared key by using the public key of the terminal deviceand the private key on the network device side.

That the access network device forwards the SUCI and the public key ofthe terminal device to a second network device may be: The accessnetwork device forwards the SUCI and the public key of the terminaldevice to another network device by usingNausf_UEAuthentication_Authenticate Request signaling, for example, anetwork device that has an authentication server function(authentication server function, AUSF). The access network deviceforwards the public key of the terminal device to obtain, from anothernetwork device, a shared key or a pilot key obtained by using the publickey and the private key of the network device. For example, the accessnetwork device obtains the shared key or the pilot key fromNausf_UEAuthentication_Authenticate Response signaling. After generatingthe shared key, the access network device may perform a one-way hashoperation on the shared key to obtain the pilot key. It should beunderstood that the access network device may receive a shared key or apilot key sent by another network device, or may generate a shared keyor a pilot key by itself. The subscription concealed identifier(subscription concealed identifier, SUCI) may be obtained by encrypting(for example, symmetrically encrypting) a subscription permanentidentifier (subscription permanent identifier) SUPI by using the sharedkey.

In this implementation, the public key of the terminal device may beobtained, and then the shared key may be obtained or generated.

According to a fifth aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: An accessnetwork device sends a first sent encrypted reference signal to aterminal device, where the first sent encrypted reference signal isobtained by using a pilot key and a first reference signal, and thepilot key is obtained by using a private key of the terminal device anda public key on a network device side, or the pilot key is obtained byusing a private key on the network device side and a public key of theterminal device; the access network device receives first informationfrom the terminal device, where the first information includes downlinkchannel state information, the downlink channel state information isobtained by performing channel estimation by using a first receivedencrypted reference signal and the first sent encrypted referencesignal, and the first received encrypted reference signal includes asignal received by the terminal device when the first sent encryptedreference signal sent by the access network device is transmittedthrough a channel; and the access network device sends channelauthentication information to a first network device, where the channelauthentication information is for verifying whether a message receivedby the access network device from the terminal device is valid orinvalid, and the channel authentication information is obtained by usingthe downlink channel state information.

In this embodiment of this disclosure, the access network device sendsthe first sent encrypted reference signal to the terminal device, sothat only the authorized terminal device can obtain the downlink channelstate information through channel estimation. Then, the channelauthentication information obtained by using the downlink channel stateinformation is sent to the first network device, so that the firstnetwork device verifies whether the message received by the accessnetwork device from the terminal device is valid or invalid, and candefend against a man-in-the-middle attack.

In a possible implementation, after the access network device receivesthe first information from the terminal device, the method furtherincludes: The access network device performs channel estimation by usingsecond received encrypted reference signal and second sent encryptedreference signal, to obtain uplink channel state information, where thesecond sent encrypted reference signal is obtained by using the pilotkey and a second reference signal, the second received encryptedreference signal includes a signal received by the access network devicewhen the second sent encrypted reference signal sent by the terminaldevice is transmitted through a channel, and the second sent encryptedreference signal is included in the first information; and the accessnetwork device generates the channel authentication information based onthe uplink channel state information and the downlink channel stateinformation.

In this implementation, the access network device generates, based onthe uplink channel state information and the downlink channel stateinformation, the channel authentication information that represents asimilarity between the downlink channel estimated by the terminal deviceand the uplink channel estimated by the access network device, so thatthe channel authentication information is for determining whether themessage received by the access network device from the terminal deviceis valid or invalid.

According to a sixth aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: A terminaldevice receives a first received encrypted reference signal, where thefirst received encrypted reference signal includes a signal received bythe terminal device when a first sent encrypted reference signal sent byan access network device is transmitted through a channel, the firstsent encrypted reference signal is obtained by using a pilot key and afirst reference signal, and the pilot key is obtained by using a privatekey of the terminal device and a public key on a network device side, orthe pilot key is obtained by using a private key on the network deviceside and a public key of the terminal device; the terminal device sendsfirst information to the access network device, where the firstinformation includes a second sent encrypted reference signal anddownlink channel state information, the second sent encrypted referencesignal is obtained by using the pilot key and a second reference signal,and the downlink channel state information is obtained by using thefirst received encrypted reference signal.

In this embodiment of this disclosure, the terminal device sends thedownlink channel state information to the access network device, toprove that the terminal device is an authorized terminal device. Inaddition, the second sent encrypted reference signal is sent to theaccess network device, so that the access network device performschannel estimation by using the second sent encrypted reference signal,and performs demodulation to obtain the downlink channel stateinformation.

In a possible implementation, the method further includes: before theterminal device sends the first information to the access networkdevice, the method further includes: The terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, to obtain thedownlink channel state information.

In this implementation, channel estimation is performed by using thefirst received encrypted reference signal and the first sent encryptedreference signal, to obtain the downlink channel state information ofthe terminal device capable of proving that the terminal device is anauthorized terminal device. Because the attacker cannot obtain the firstsent encrypted reference signal, the attacker cannot obtain, throughchannel estimation, the downlink channel state information that canaccurately represent the channel between the access network device andthe terminal device. Therefore, the terminal device sends the downlinkchannel state information to the access network device, to effectivelydefend against a man-in-the-middle attack.

According to a seventh aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: A firstnetwork device receives channel authentication information, where thechannel authentication information represents a correlation between anuplink channel estimated by an access network device and a downlinkchannel estimated by a terminal device; and the first network deviceverifies, based on the channel authentication information, whether amessage received by the access network device from the terminal deviceis valid or invalid.

The first network device may be an access network device, or may be anetwork device having a UDM. In other words, the first network devicemay be the access network device in the first aspect to the sixthaspect, or may be an independent network device, that is, be not theaccess network device in the first aspect to the sixth aspect. That afirst network device receives channel authentication information may be:The first network device receivesNudm_UEAuthentication_ResultConfirmation Request signaling, where thesignaling carries the channel authentication information. TheNudm_UEAuthentication_ResultConfirmation Request signaling may furtherinclude an SUPI, an authentication timestamp, an authentication type,and a visiting network name. The channel authentication information mayinclude an authentication parameter. That the first network deviceverifies, based on the channel authentication information, whether amessage received by the access network device from the terminal deviceis valid or invalid may be: The access network device determines, whenthe authentication parameter is greater than an authenticationthreshold, that the message received by the access network device fromthe terminal device is valid; and the access network device determines,when the authentication parameter is not greater than the authenticationthreshold, that the message received by the access network device fromthe terminal device is invalid.

In this embodiment of this disclosure, whether the message received bythe access network device from the terminal device is valid or invalidis verified based on the channel authentication information, to defendagainst a man-in-the-middle attack.

In a possible implementation, the method further includes: The firstnetwork device generates a shared key by using a public key of theterminal device and a private key on a network device side; and thefirst network device sends the shared key or a pilot key, where thepilot key is obtained by performing a one-way hash operation on theshared key, and the pilot key or the shared key is used by the accessnetwork device to generate the channel authentication information.

The first network device is a non-access stratum network device, forexample, a network device having a UDM.

In this implementation, the first network device generates the sharedkey by using the public key of the terminal device and the private keyon the network device side, and sends the shared key or the pilot key,so that the access network device encrypts a reference signal by usingthe pilot key.

According to an eighth aspect, an embodiment of this disclosure providesanother authentication method, where the method includes: A secondnetwork device sends a public key of a terminal device to a firstnetwork device; the second network device receives a shared key or apilot key sent by the first network device, where the shared key isobtained by using the public key of the terminal device and a privatekey on a network device side, and the pilot key is obtained byperforming a one-way hash operation on the shared key; the secondnetwork device generates key information that includes the shared key orthe pilot key; and the second network device sends the key information.

The second network device may be the access network device in the firstaspect to the fourth aspect, or may be an independent network devicethat has an AUSF, that is, be not the access network device in the firstaspect to the fourth aspect. The first network device is a networkdevice having a UDM.

In this embodiment of this disclosure, the second network device sendsthe key information, so that the access network device encrypts areference signal by using pilot information.

In a possible implementation, the method further includes: The secondnetwork device receives channel authentication information from theaccess network device; and the second network device sends the channelauthentication information to the first network device, where thechannel authentication information is for verifying whether a messagereceived by the access network device from the terminal device is validor invalid.

That the second network device receives channel authenticationinformation from the access network device may be: The second networkdevice receives Nausf_UEAuthentication_Authenticate Request signalingfrom the access network device, where the signaling includes the channelauthentication information. That the second network device sends thechannel authentication information to the first network device may be:The second network device sends Nudm_UEAuthentication_ResultConfirmationRequest signaling to the first network device, where the signalingincludes the channel authentication information.

In this implementation, the second network device forwards the channelauthentication information, so that the first network device verifieswhether the message received by the access network device from theterminal device is valid or invalid.

In a possible implementation, the method further includes: The secondnetwork device receives the public key of the terminal device; and thesecond network device sends the public key of the terminal device to thefirst network device.

That the second network device receives the public key of the terminaldevice may be: The second network device receivesNausf_UEAuthentication_Authenticate Request signaling, where thesignaling includes the public key of the terminal device. That thesecond network device sends the public key of the terminal device to thefirst network device may be: The second network device sendsNudm_UEAuthentication_Get Request signaling to the first network device,where the signaling includes the public key of the terminal device.

In this manner, the second network device forwards, to the first networkdevice, the public key from the terminal device, so that the firstnetwork device generates the pilot key.

According to a ninth aspect, an embodiment of this disclosure provides acommunication apparatus, including: a transceiver module, configured toreceive a first received encrypted reference signal, where the firstreceived encrypted reference signal includes a signal received by aterminal device when a first sent encrypted reference signal sent by anaccess network device is transmitted through a channel, the first sentencrypted reference signal is obtained by using a pilot key and a firstreference signal, and the pilot key is obtained by using a private keyof the terminal device and a public key on a network device side, or thepilot key is obtained by using a private key on the network device sideand a public key of the terminal device; and a processing module,configured to perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain downlink channel state information, where thetransceiver module is further configured to send first information tothe access network device, where the first information includes thedownlink channel state information.

In this embodiment of this disclosure, the terminal device performschannel estimation by using the first sent encrypted reference signaland the first received encrypted reference signal, and sends downlinkchannel state information obtained by performing channel estimation, toprove that the terminal device is an authorized terminal device. Becausethe attacker cannot obtain the first sent encrypted reference signal,the attacker cannot obtain, through channel estimation, the downlinkchannel state information that can accurately represent the channelbetween the access network device and the terminal device. Therefore,the terminal device sends the downlink channel state information to theaccess network device, to effectively defend against a man-in-the-middleattack.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thefirst sent encrypted reference signal includes at least two same firstencrypted sequences, and the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; or the firstsent encrypted reference signal includes a hash chain, the hash chainincludes at least two binary sequences, a first binary sequence in thehash chain is a second encrypted sequence, and the second encryptedsequence is obtained by encrypting the first reference signal using thepilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the first sent encrypted reference signal occupies few bits. Asolution in which the first sent encrypted reference signal includes atleast two same first encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the first sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, the processing module is furtherconfigured to: generate, when the terminal device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and generate, when the terminal device works in a secondsecurity mode, the first sent encrypted reference signal including ahash chain, where the hash chain includes at least two binary sequences,a first binary sequence in the hash chain is a second encryptedsequence, the second encrypted sequence is obtained by encrypting thefirst reference signal using the pilot key, and security of the firstsecurity mode is lower than security of the second security mode.

In this implementation, the terminal device generates, when working inthe first security mode, the first sent encrypted reference signal thatincludes at least two same first encrypted sequences, where a hashoperation does not need to be performed, and a calculation amount issmall, to be applicable to a scenario with high security; and theterminal device generates, when working in the second security mode, thefirst sent encrypted reference signal that includes at least a hashchain, where a plurality of times of hash operations are performed, andsecurity is high, to be applicable to a scenario with low security.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key of theterminal device and the public key on the network device side.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the first information further includes asecond sent encrypted reference signal, and the second sent encryptedreference signal is obtained by using the pilot key and a secondreference signal.

The second sent encrypted reference signal is used by the access networkdevice to perform channel estimation on an uplink channel between theaccess network device and the terminal device.

In a possible implementation, the transceiver module is furtherconfigured to receive first indication information, where the firstindication information indicates a location of the first receivedencrypted reference signal that is in second information and that is tobe received by the terminal device.

In this implementation, the terminal device can accurately obtain, basedon the first indication information, a location of the first receivedencrypted reference signal that is in second information and that is tobe received.

In a possible implementation, the first indication information furtherincludes at least one of the following: a first encrypted referencesignal type, a first encrypted reference signal length, a firstencrypted activation indication, and a first security mode indication,where the first encrypted reference signal type is a type of the firstreceived encrypted reference signal, the first encrypted referencesignal length indicates a length of the first received encryptedreference signal, the first encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the first security mode indicationindicates an encryption manner of the first received encrypted referencesignal.

In this implementation, the first indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, the processing module is specificallyconfigured to: perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain a downlink channel estimation value; and use firststrength characteristic information and first phase characteristicinformation that are extracted based on the downlink channel estimationvalue as the downlink channel state information.

In this implementation, the strength characteristic information and thephase characteristic information are extracted by using the downlinkchannel estimation value, so that downlink channel state informationthat accurately represents a downlink channel state can be obtained.

According to a tenth aspect, an embodiment of this disclosure providesanother communication apparatus, including: a transceiver module,configured to receive a second received encrypted reference signal,where the second received encrypted reference signal includes a signalreceived by an access network device when a second sent encryptedreference signal sent by a terminal device is transmitted through achannel, the second sent encrypted reference signal is obtained by usinga pilot key and a second reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device; anda processing module, configured to perform channel estimation by usingthe second received encrypted reference signal and the second sentencrypted reference signal, to obtain uplink channel state information,where the transceiver module is further configured to send channelauthentication information to a first network device, where the channelauthentication information is for verifying whether a message receivedby the access network device from the terminal device is valid orinvalid, and the channel authentication information is obtained by usingthe uplink channel state information.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information. Then, the channel authenticationinformation is generated by using the uplink channel state information,and the channel authentication information is sent to the first networkdevice, so that the first network device verifies whether the messagereceived by the access network device from the terminal device is validor invalid, and can defend against a man-in-the-middle attack.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thesecond sent encrypted reference signal includes at least two same thirdencrypted sequences, and the third encrypted sequence is obtained byencrypting the second reference signal by using the pilot key; or thesecond sent encrypted reference signal includes a hash chain, the hashchain includes at least two binary sequences, a first binary sequence inthe hash chain is a fourth encrypted sequence, and the fourth encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the second sent encrypted reference signal occupies few bits. Asolution in which the second sent encrypted reference signal includes atleast two same third encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the second sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key on thenetwork device side and the public key of the terminal device.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the processing module is furtherconfigured to demodulate first information based on the uplink channelstate information, to obtain downlink channel state information; andgenerate the channel authentication information based on the uplinkchannel state information and the downlink channel state information.

In this implementation, the channel authentication information thatrepresents a similarity between the downlink channel estimated by theterminal device and the uplink channel estimated by the access networkdevice is generated based on the uplink channel state information andthe downlink channel state information, so that the channelauthentication information is for determining whether the messagereceived by the access network device from the terminal device is validor invalid.

In a possible implementation, the transceiver module is furtherconfigured to send second information to the terminal device, where thesecond information includes a first sent encrypted reference signal, andthe first sent encrypted reference signal is obtained by using the pilotkey and a first reference signal.

In this implementation, the first sent encrypted reference signal iscarried in the second information, so that an attacker cannot performchannel estimation, thereby defending against a man-in-the-middleattack.

In a possible implementation, the processing module is furtherconfigured to: generate, when the access network device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and generate, when the access network device works in asecond security mode, the first sent encrypted reference signalincluding a hash chain, where the hash chain includes at least twobinary sequences, a first binary sequence in the hash chain is a secondencrypted sequence, the second encrypted sequence is obtained byencrypting the first reference signal using the pilot key, and securityof the first security mode is lower than security of the second securitymode.

In this implementation, the access network device generates, whenworking in the first security mode, the first sent encrypted referencesignal that includes at least two same first encrypted sequences, wherea hash operation does not need to be performed, and a calculation amountis small, to be applicable to a scenario with high security. The accessnetwork device generates, when working in the second security mode, thefirst sent encrypted reference signal that includes at least a hashchain, where a plurality of times of hash operations are performed, andsecurity is high, to be applicable to a scenario with low security.

In a possible implementation, the transceiver module is furtherconfigured to receive second indication information, where the secondindication information indicates a location of the second receivedencrypted reference signal that is in first information and that is tobe received by the access network device.

In this implementation, the access network device can accurately obtain,based on the second indication information, a location of the secondreceived encrypted reference signal that is in first information andthat is to be received.

In a possible implementation, the second indication information furtherincludes at least one of the following: a second encrypted referencesignal type, a second encrypted reference signal length, a secondencrypted activation indication, and a second security mode indication,where the second encrypted reference signal type is a type of the secondreceived encrypted reference signal, the second encrypted referencesignal length indicates a length of the second received encryptedreference signal, the second encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the second security mode indicationindicates an encryption manner of the second received encryptedreference signal.

In this implementation, the second indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, the processing module is specificallyconfigured to: perform channel estimation by using the second receivedencrypted reference signal and the second sent encrypted referencesignal, to obtain an uplink channel estimation value; and use secondstrength characteristic information and second phase characteristicinformation that are extracted based on the uplink channel estimationvalue as the uplink channel state information.

In this implementation, the second strength characteristic informationand the second phase characteristic information are extracted by usingthe uplink channel estimation value, so that uplink channel stateinformation that accurately represents an uplink channel state can beobtained.

According to an eleventh aspect, an embodiment of this disclosureprovides another communication apparatus, including: a transceivermodule, configured to receive an authentication request, where theauthentication request carries a first received encrypted referencesignal, the first received encrypted reference signal includes a signalreceived by the terminal device when a first sent encrypted referencesignal sent by an access network device is transmitted through achannel, the first sent encrypted reference signal is obtained by usinga pilot key and a first reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device; anda processing module, configured to perform channel estimation by usingthe first received encrypted reference signal and the first sentencrypted reference signal, to obtain downlink channel stateinformation, where the transceiver module is further configured to sendan authentication response to the access network device, where theauthentication response includes the downlink channel state information.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information; and generates channel authenticationinformation by using the uplink channel state information, to verifywhether a message received by the access network device from theterminal device is valid or invalid, that is, defend against aman-in-the-middle attack.

In a possible implementation, that the first sent encrypted referencesignal is obtained by using a pilot key and a first reference signalincludes: The first sent encrypted reference signal is obtained byencrypting the first reference signal using the pilot key, where thefirst sent encrypted reference signal includes at least two same firstencrypted sequences, and the first encrypted sequence is obtained byencrypting the first reference signal using the pilot key; or the firstsent encrypted reference signal includes a hash chain, the hash chainincludes at least two binary sequences, a first binary sequence in thehash chain is a second encrypted sequence, and the second encryptedsequence is obtained by encrypting the first reference signal using thepilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the first sent encrypted reference signal occupies few bits. Asolution in which the first sent encrypted reference signal includes atleast two same first encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the first sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, the processing module is furtherconfigured to: generate, when the terminal device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and the terminal device generates, when working in a secondsecurity mode, the first sent encrypted reference signal including ahash chain, where the hash chain includes at least two binary sequences,a first binary sequence in the hash chain is a second encryptedsequence, the second encrypted sequence is obtained by encrypting thefirst reference signal using the pilot key, and security of the firstsecurity mode is lower than security of the second security mode.

In this implementation, the terminal device generates, when working inthe first security mode, the first sent encrypted reference signal thatincludes at least two same first encrypted sequences, where a hashoperation does not need to be performed, and a calculation amount issmall, to be applicable to a scenario with high security; and theterminal device generates, when working in the second security mode, thefirst sent encrypted reference signal that includes at least a hashchain, where a plurality of times of hash operations are performed, andsecurity is high, to be applicable to a scenario with low security.

In a possible implementation, the first sent encrypted reference signalis obtained by encrypting the first reference signal using the pilotkey, where the pilot key is obtained by performing a one-way hashoperation on a shared key, and the shared key is obtained by using theprivate key of the terminal device and the public key on the networkdevice side.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the authentication response furtherincludes a second sent encrypted reference signal, and the second sentencrypted reference signal is obtained by using the pilot key and asecond reference signal.

In this implementation, the second sent encrypted reference signal iscarried in the authentication response, so that an attacker cannotimplement channel estimation, thereby defending against aman-in-the-middle attack.

In a possible implementation, the transceiver module is furtherconfigured to receive first indication information, where the firstindication information indicates a location of the first receivedencrypted reference signal that is in the authentication request andthat is to be received by the terminal device.

In this implementation, the first indication information indicates thelocation of the first received encrypted reference signal that is in theauthentication request and that is to be received by the terminaldevice, and the terminal device can accurately obtain, based on thefirst indication information, the location of the first receivedencrypted reference signal that is in the second information and that isto be received.

In a possible implementation, the first indication information furtherincludes at least one of the following: a first encrypted referencesignal type, a first encrypted reference signal length, a firstencrypted activation indication, and a first security mode indication,where the first encrypted reference signal type is a type of the firstreceived encrypted reference signal, the first encrypted referencesignal length indicates a length of the first received encryptedreference signal, the first encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the first security mode indicationindicates an encryption manner of the first received encrypted referencesignal.

In this implementation, the first indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, the processing module is specificallyconfigured to: perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain a downlink channel estimation value; and use firststrength characteristic information and first phase characteristicinformation that are extracted based on the downlink channel estimationvalue as the downlink channel state information.

In this implementation, the strength characteristic information and thephase characteristic information are extracted by using the downlinkchannel estimation value, so that downlink channel state informationthat accurately represents a downlink channel state can be obtained.

In a possible implementation, the processing module is furtherconfigured to encrypt (for example, symmetrically encrypt) asubscription permanent identifier SUPI by using the shared key, toobtain a subscription concealed identifier SUCI; and the transceivermodule is further configured to send a registration request, where theregistration request includes the SUCI and the public key of theterminal device.

In this implementation, the SUPI is encrypted by using the shared key,so that a risk that the SUPI is decrypted by an attacker can be reduced.

According to a twelfth aspect, an embodiment of this disclosure providesanother communication apparatus, including: a transceiver module,configured to receive an authentication response, where theauthentication response carries a second received encrypted referencesignal, the second received encrypted reference signal includes a signalreceived by the access network device when a second sent encryptedreference signal sent by a terminal device is transmitted through achannel, the second sent encrypted reference signal is obtained by usinga pilot key and a second reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device; anda processing module, configured to perform channel estimation by usingthe second received encrypted reference signal and the second sentencrypted reference signal, to obtain uplink channel state information,where the transceiver module is further configured to send channelauthentication information to a first network device, where the channelauthentication information is for verifying whether a message receivedby the access network device from the terminal device is valid orinvalid, and the channel authentication information is obtained by usingthe uplink channel state information.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second sent encrypted referencesignal and the second received encrypted reference signal, to obtain theuplink channel state information. Then, the channel authenticationinformation is generated by using the uplink channel state information,and the channel authentication information is sent to the first networkdevice, so that the first network device verifies whether the messagereceived by the access network device from the terminal device is validor invalid, and can defend against a man-in-the-middle attack.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thesecond sent encrypted reference signal includes at least two same thirdencrypted sequences, and the third encrypted sequence is obtained byencrypting the second reference signal by using the pilot key; or thesecond sent encrypted reference signal includes a hash chain, the hashchain includes at least two binary sequences, a first binary sequence inthe hash chain is a fourth encrypted sequence, and the fourth encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key.

In this implementation, the first sent encrypted reference signal isobtained by encrypting the first reference signal using the pilot key,and the second sent encrypted reference signal occupies few bits. Asolution in which the second sent encrypted reference signal includes atleast two same third encrypted sequences is highly reliable, and isapplicable to a scenario with a low security requirement. A solution inwhich the second sent encrypted reference signal includes a hash chainhas high security, and is applicable to a scenario with a high securityrequirement.

In a possible implementation, that the second sent encrypted referencesignal is obtained by using a pilot key and a second reference signalincludes: The second sent encrypted reference signal is obtained byencrypting the second reference signal by using the pilot key, where thepilot key is obtained by performing a one-way hash operation on a sharedkey, and the shared key is obtained by using the private key on thenetwork device side and the public key of the terminal device.

In this implementation, the pilot key is obtained by performing aone-way hash operation on the shared key. In this way, a key of arequired length can be obtained, and a difficulty of cracking the pilotkey can be further increased.

In a possible implementation, the processing module is furtherconfigured to demodulate the authentication response based on the uplinkchannel state information, to obtain downlink channel state information;and generate the channel authentication information based on the uplinkchannel state information and the downlink channel state information.

In this implementation, the access network device generates, based onthe uplink channel state information and the downlink channel stateinformation, the channel authentication information that represents asimilarity between the downlink channel estimated by the terminal deviceand the uplink channel estimated by the access network device, so thatthe channel authentication information is for determining whether themessage received by the access network device from the terminal deviceis valid or invalid.

In a possible implementation, the transceiver module is furtherconfigured to send an authentication request to the terminal device,where the authentication request includes a first sent encryptedreference signal, and the first sent encrypted reference signal isobtained by using the pilot key and a first reference signal.

In this implementation, the first sent encrypted reference signal iscarried in the authentication request, so that an attacker cannotperform channel estimation, thereby defending against aman-in-the-middle attack.

In a possible implementation, the processing module is furtherconfigured to: generate, when the access network device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and generate, when the access network device works in asecond security mode, the first sent encrypted reference signalincluding a hash chain, where the hash chain includes at least twobinary sequences, a first binary sequence in the hash chain is a secondencrypted sequence, the second encrypted sequence is obtained byencrypting the first reference signal using the pilot key, and securityof the first security mode is lower than security of the second securitymode.

In this implementation, the access network device generates, whenworking in the first security mode, the first sent encrypted referencesignal that includes at least two same first encrypted sequences, wherea hash operation does not need to be performed, and a calculation amountis small, to be applicable to a scenario with high security; and theaccess network device generates, when working in the second securitymode, the first sent encrypted reference signal that includes at least ahash chain, where a plurality of times of hash operations are performed,and security is high, to be applicable to a scenario with low security.

In a possible implementation, the transceiver module is furtherconfigured to receive second indication information, where the secondindication information indicates a location of the second receivedencrypted reference signal that is in the authentication response andthat is to be received by the access network device.

In this implementation, the second indication information indicates thelocation of the second received encrypted reference signal that is inthe authentication response and that is to be received by the accessnetwork device, and the access network device can accurately obtain,based on the second indication information, the location of the secondreceived encrypted reference signal that is in the first information andthat is to be received.

In a possible implementation, the second indication information furtherincludes at least one of the following: a second encrypted referencesignal type, a second encrypted reference signal length, a secondencrypted activation indication, and a second security mode indication,where the second encrypted reference signal type is a type of the secondreceived encrypted reference signal, the second encrypted referencesignal length indicates a length of the second received encryptedreference signal, the second encrypted activation indication indicatesthe access network device to send an unencrypted reference signal or anencrypted parameter signal, and the second security mode indicationindicates an encryption manner of the second received encryptedreference signal.

In this implementation, the second indication information may carryinformation that can further define the reference signal to be sent bythe access network device, so that the terminal device can accuratelyobtain the encrypted reference signal or the unencrypted referencesignal sent by the access network device.

In a possible implementation, the processing module is specificallyconfigured to: perform channel estimation by using the second receivedencrypted reference signal and the second sent encrypted referencesignal, to obtain an uplink channel estimation value; and use secondstrength characteristic information and second phase characteristicinformation that are extracted based on the uplink channel estimationvalue as the uplink channel state information.

In this implementation, the second strength characteristic informationand the second phase characteristic information are extracted by usingthe uplink channel estimation value, so that uplink channel stateinformation that accurately represents an uplink channel state can beobtained.

In a possible implementation, the transceiver module is furtherconfigured to receive a registration request from the terminal device,where the registration request carries a subscription concealedidentifier SUCI and the public key of the terminal device; and forwardthe SUCI and the public key of the terminal device to a second networkdevice, or the processing module is further configured to generate theshared key by using the public key of the terminal device and theprivate key on the network device side.

In this implementation, the public key of the terminal device may beobtained, and then the shared key may be obtained or generated.

According to a thirteenth aspect, an embodiment of this disclosureprovides another communication apparatus, including: a transceivermodule, configured to send a first sent encrypted reference signal to aterminal device, where the first sent encrypted reference signal isobtained by using a pilot key and a first reference signal, and thepilot key is obtained by using a private key of the terminal device anda public key on a network device side, or the pilot key is obtained byusing a private key on the network device side and a public key of theterminal device; the transceiver module is further configured to receivefirst information from the terminal device, where the first informationincludes downlink channel state information, the downlink channel stateinformation is obtained by performing channel estimation by using afirst received encrypted reference signal and the first sent encryptedreference signal, and the first received encrypted reference signalincludes a signal received by the terminal device when the first sentencrypted reference signal sent by an access network device istransmitted through a channel; and a processing module, configured togenerate channel authentication information, where the channelauthentication information is for verifying whether a message receivedby the access network device from the terminal device is valid orinvalid, and the channel authentication information is obtained by usingthe downlink channel state information, where the transceiver module isfurther configured to send the channel authentication information to afirst network device.

In this embodiment of this disclosure, the terminal device performschannel estimation by using the first sent encrypted reference signaland the first received encrypted reference signal, and sends downlinkchannel state information obtained by performing channel estimation, toprove that the terminal device is an authorized terminal device. Becausethe attacker cannot obtain the first sent encrypted reference signal,the attacker cannot obtain, through channel estimation, the downlinkchannel state information that can accurately represent the channelbetween the access network device and the terminal device. Therefore,the terminal device sends the downlink channel state information to theaccess network device, to effectively defend against a man-in-the-middleattack.

In a possible implementation, the processing module is furtherconfigured to perform channel estimation by using second receivedencrypted reference signal and second sent encrypted reference signal,to obtain uplink channel state information, where the second sentencrypted reference signal is obtained by using the pilot key and asecond reference signal, the second received encrypted reference signalincludes a signal received by the access network device when the secondsent encrypted reference signal sent by the terminal device istransmitted through a channel, and the second sent encrypted referencesignal is included in the first information; and generate the channelauthentication information based on the uplink channel state informationand the downlink channel state information.

In this implementation, the second sent encrypted reference signal iscarried in the first information, so that an attacker cannot implementchannel estimation, thereby defending against a man-in-the-middleattack.

According to a fourteenth aspect, an embodiment of this disclosureprovides another communication apparatus, including: a transceivermodule, configured to receive a first received encrypted referencesignal, where the first received encrypted reference signal includes asignal received by a terminal device when a first sent encryptedreference signal sent by an access network device is transmitted througha channel, the first sent encrypted reference signal is obtained byusing a pilot key and a first reference signal, and the pilot key isobtained by using a private key of the terminal device and a public keyon a network device side, or the pilot key is obtained by using aprivate key on the network device side and a public key of the terminaldevice; and a processing module, configured to generate firstinformation, where the first information includes a second sentencrypted reference signal and downlink channel state information, thesecond sent encrypted reference signal is obtained by using the pilotkey and a second reference signal, and the downlink channel stateinformation is obtained by using the first received encrypted referencesignal, where the transceiver module is further configured to send thefirst information to the access network device.

In this embodiment of this disclosure, the access network device sendsthe first sent encrypted reference signal to the terminal device, sothat only the authorized terminal device can obtain the downlink channelstate information through channel estimation. Then, the channelauthentication information obtained by using the downlink channel stateinformation is sent to the first network device, so that the firstnetwork device verifies whether the message received by the accessnetwork device from the terminal device is valid or invalid, and candefend against a man-in-the-middle attack.

In a possible implementation, the processing module is furtherconfigured to perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain the downlink channel state information.

In this implementation, the access network device generates, based onthe uplink channel state information and the downlink channel stateinformation, the channel authentication information that represents asimilarity between the downlink channel estimated by the terminal deviceand the uplink channel estimated by the access network device, so thatthe channel authentication information is for determining whether themessage received by the access network device from the terminal deviceis valid or invalid.

According to a fifteenth aspect, an embodiment of this disclosureprovides another communication apparatus, including: a transceivermodule, configured to receive channel authentication information, wherethe channel authentication information represents a correlation betweenan uplink channel estimated by an access network device and a downlinkchannel estimated by a terminal device; and a processing module,configured to verify, based on the channel authentication information,whether a message received by the access network device from theterminal device is valid or invalid.

In this embodiment of this disclosure, whether the message received bythe access network device from the terminal device is valid or invalidis verified based on the channel authentication information, to defendagainst a man-in-the-middle attack.

In a possible implementation, the processing module is furtherconfigured to generate the shared key by using the public key of theterminal device and the private key on the network device side; and thetransceiver module is further configured to send the shared key or apilot key, where the pilot key is obtained by performing a one-way hashoperation on the shared key by the processing module, and the pilot keyor the shared key is used by the access network device to generate thechannel authentication information.

In this implementation, the shared key is generated, and the shared keyor the pilot key is sent, so that the access network device may encrypta reference signal by using the pilot key.

According to a sixteenth aspect, an embodiment of this disclosureprovides another communication apparatus, including: a transceivermodule, configured to send a public key of a terminal device to a firstnetwork device, where the transceiver module is further configured toreceive a shared key or a pilot key sent by the first network device,where the shared key is obtained by using the public key of the terminaldevice and a private key on a network device side, and the pilot key isobtained by performing a one-way hash operation on the shared key; and aprocessing module, configured to generate key information that includesthe shared key or the pilot key, where the transceiver module is furtherconfigured to send the key information.

In this embodiment of this disclosure, a second network device sends thekey information, so that an access network device encrypts a referencesignal by using pilot information.

In a possible implementation, the transceiver module is furtherconfigured to: receive channel authentication information from theaccess network device; and send the channel authentication informationto the first network device, where the channel authenticationinformation is for verifying whether a message received by the accessnetwork device from the terminal device is valid or invalid.

In this implementation, the second network device forwards the channelauthentication information, so that the first network device verifieswhether the message received by the access network device from theterminal device is valid or invalid.

In a possible implementation, the transceiver module is furtherconfigured to: receive the public key of the terminal device; and sendthe public key of the terminal device to the first network device.

In this manner, the second network device forwards, to the first networkdevice, the public key from the terminal device, so that the firstnetwork device generates the pilot key.

According to a seventeenth aspect, this disclosure provides acommunication apparatus. The communication apparatus includes aprocessor, and the processor may be configured to executecomputer-executable instructions stored in a memory, so that the methodshown in the first aspect or any possible implementation of the firstaspect is performed, the method shown in the second aspect or anypossible implementation of the second aspect is performed, the methodshown in the third aspect or any possible implementation of the thirdaspect is performed, the method shown in the fourth aspect or anypossible implementation of the fourth aspect is performed, the methodshown in the fifth aspect or any possible implementation of the fifthaspect is performed, the method shown in the sixth aspect or anypossible implementation of the sixth aspect is performed, the methodshown in the seventh aspect or any possible implementation of theseventh aspect is performed, or the method shown in the eighth aspect orany possible implementation of the eighth aspect is performed.

In this embodiment of this disclosure, for a specific description of theprocessor, refer to the description of the first aspect. Details are notdescribed herein again.

In this embodiment of this disclosure, in a process of performing theforegoing method, a process of sending information in the foregoingmethod may be understood as a process of outputting information based onan instruction of the processor. When the information is output, theprocessor outputs the information to a transceiver, so that thetransceiver transmits the information. After the information is outputby the processor, the information may further require other processing,and then reaches the transceiver. Similarly, when the processor receivesinput information, the transceiver receives the information, and inputsthe information into the processor. Still further, after the transceiverreceives the information, the information may require additionalprocessing, and then is input into the processor.

An operation such as sending and/or receiving involved in the processormay be generally understood as an instruction output based on theprocessor if there is no special description, or if the operation doesnot conflict with an actual function or internal logic of the operationin a related description.

In an implementation process, the processor may be a processor speciallyconfigured to perform these methods, or may be a processor, for example,a general-purpose processor that executes computer instructions in amemory to perform these methods. For example, the processor may befurther configured to execute a program stored in the memory. When theprogram is executed, the communication apparatus is enabled to performthe method shown in the first aspect or any possible implementation ofthe first aspect.

In a possible implementation, the memory is located outside thecommunication apparatus.

In a possible implementation, the memory is located inside thecommunication apparatus.

In this embodiment of this disclosure, the processor and the memory mayalternatively be integrated into one component. In other words, theprocessor and the memory may alternatively be integrated together.

In a possible implementation, the communication apparatus furtherincludes a transceiver. The transceiver is configured to receive apacket, send a packet, or the like.

According to an eighteenth aspect, this disclosure provides acommunication apparatus, where the communication apparatus includes aprocessing circuit and an interface circuit, and the interface circuitis configured to obtain data or output data; and the processing circuitis configured to perform the corresponding method shown in the firstaspect or any possible implementation of the first aspect, theprocessing circuit is configured to perform the corresponding methodshown in the second aspect or any possible implementation of the secondaspect, the processing circuit is configured to perform thecorresponding method shown in the third aspect or any possibleimplementation of the third aspect, the processing circuit is configuredto perform the corresponding method shown in the fourth aspect or anypossible implementation of the fourth aspect, the processing circuit isconfigured to perform the corresponding method shown in the fifth aspector any possible implementation of the fifth aspect, the processingcircuit is configured to perform the corresponding method shown in thesixth aspect or any possible implementation of the sixth aspect, theprocessing circuit is configured to perform the corresponding methodshown in the seventh aspect or any possible implementation of theseventh aspect, or the processing circuit is configured to perform thecorresponding method shown in the eighth aspect or any possibleimplementation of the eighth aspect.

According to a nineteenth aspect, this disclosure provides acomputer-readable storage medium. The computer-readable storage mediumis configured to store a computer program. When the computer programruns on a computer, the method shown in the first aspect or any possibleimplementation of the first aspect is performed, the method shown in thesecond aspect or any possible implementation of the second aspect isperformed, the method shown in the third aspect or any possibleimplementation of the third aspect is performed, the method shown in thefourth aspect or any possible implementation of the fourth aspect isperformed, the method shown in the fifth aspect or any possibleimplementation of the fifth aspect is performed, the method shown in thesixth aspect or any possible implementation of the sixth aspect isperformed, the method shown in the seventh aspect or any possibleimplementation of the seventh aspect is performed, or the method shownin the eighth aspect or any possible implementation of the eighth aspectis performed.

According to a twentieth aspect, this disclosure provides a computerprogram product. The computer program product includes a computerprogram or computer code. When the computer program or computer coderuns on a computer, the method shown in the first aspect or any possibleimplementation of the first aspect is performed, the method shown in thesecond aspect or any possible implementation of the second aspect isperformed, the method shown in the third aspect or any possibleimplementation of the third aspect is performed, the method shown in thefourth aspect or any possible implementation of the fourth aspect isperformed, the method shown in the fifth aspect or any possibleimplementation of the fifth aspect is performed, the method shown in thesixth aspect or any possible implementation of the sixth aspect isperformed, the method shown in the seventh aspect or any possibleimplementation of the seventh aspect is performed, or the method shownin the eighth aspect or any possible implementation of the eighth aspectis performed.

BRIEF DESCRIPTION OF DRAWINGS

To describe technical solutions in embodiments of this disclosure or inthe background more clearly, the following describes accompanyingdrawings used for describing embodiments of this disclosure or thebackground.

FIG. 1 is a schematic diagram of a 5G network architecture according tothis disclosure;

FIG. 2A is a schematic diagram of a man-in-the-middle transparentforwarding attack according to an embodiment of this disclosure;

FIG. 2B is a schematic diagram of a location spoofing attack accordingto an embodiment of this disclosure;

FIG. 3 is a schematic diagram of an authentication solution;

FIG. 4 is a schematic diagram of a location spoofing attack in a samevisiting network;

FIG. 5 is a schematic diagram of location spoofing attacks in differentnetworks;

FIG. 6 is a diagram of an interaction process of an authenticationmethod according to an embodiment of this disclosure;

FIG. 7 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure;

FIG. 8 is a schematic diagram of a signal flow according to anembodiment of this disclosure;

FIG. 9 is a flowchart of generating an encrypted reference signalaccording to an embodiment of this disclosure;

FIG. 10A to FIG. 10C are schematic diagrams of first sent encryptedreference signals according to an embodiment of this disclosure;

FIG. 11 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure;

FIG. 12 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure;

FIG. 13 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure;

FIG. 14 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure;

FIG. 15A and FIG. 15B are diagrams of an interaction process of anotherauthentication method according to an embodiment of this disclosure;

FIG. 16 is a schematic diagram of a structure of a communicationapparatus according to an embodiment of this disclosure;

FIG. 17 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure;

FIG. 18 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure;

FIG. 19 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure;

FIG. 20 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure; and

FIG. 21 is a schematic diagram of a structure of a network deviceaccording to an embodiment of this disclosure.

DESCRIPTION OF EMBODIMENTS

To make the objectives, technical solutions, and advantages of thisdisclosure clearer, the following further describes this disclosure indetail with reference to the accompanying drawings.

The terms “first”, “second”, and the like in the specification, claims,and accompanying drawings of this disclosure are merely used todistinguish different objects, but are not used to describe a specificorder. In addition, terms such as “including” and “having” and any othervariants thereof are intended to cover a non-exclusive inclusion. Forexample, a process, a method, a system, a product, or a device thatincludes a series of steps or units is not limited to the listed stepsor units, but optionally further includes steps or units that are notlisted, or optionally further includes other steps or units inherent tothese processes, methods, products, or devices.

“Embodiments” mentioned herein mean that specific features, structures,or characteristics described in conjunction with the embodiments may beincluded in at least one embodiment of this disclosure. The phraseappearing at various locations in this specification does notnecessarily refer to a same embodiment, and is not an independent oralternative embodiment mutually exclusive to another embodiment. It canbe understood explicitly and implicitly by those skilled in the art thatthe embodiments described herein may be combined with other embodiments.

In this disclosure, “at least one (item)” refers to one or more, “aplurality of” refers to two or more, “at least two (items)” refers totwo or three or more, and “and/or” is used to describe an associationrelationship between associated objects, and indicates that threerelationships may exist, for example, “A and/or B” may indicate: Only Aexists, only B exists, and both A and B exist. A and B may be singularor plural. The character “/” generally indicates that the associatedobjects are in an “OR” relationship. “At least one of the followingitems” or a similar expression thereof refers to any combination ofthese items. For example, at least one of a, b, or c may represent: a,b, c, “a and b”, “a and c”, “b and c”, or “a and b and c”.

The following describes a network architecture in this disclosure indetail.

The technical solutions provided in this disclosure may be applied tovarious communication systems, for example, a long term evolution (longterm evolution, LTE) system, an LTE frequency division duplex (FDD)system, an LTE time division duplex (time division duplex, TDD), auniversal mobile telecommunication system (universal mobiletelecommunication system, UMTS), a worldwide interoperability formicrowave access (worldwide interoperability for microwave access,WiMAX) communication system, a 5th generation (5th generation, 5G)communication system or a new radio (new radio, NR), and othercommunication systems in the future, such as 6G. The following describesthe technical solutions provided in this disclosure by using a 5Gcommunication system as an example.

FIG. 1 is a schematic diagram of a 5G network architecture according tothis disclosure. As shown in FIG. 1 , the 5G network architectureincludes: an access network device, an authentication server function(authentication server function, AUSF), a unified data management(unified data management, UDM) function, and one or more terminaldevices (only a terminal device 1 and a terminal device 2 are shown inFIG. 1 ).

The UDM network element mainly manages user data, for example, managessubscription information, including obtaining subscription informationfrom a unified data repository function (Unified Data Repository, UDR)network element and providing the subscription information to othernetwork elements; generating a 3rd generation partnership project (3rdgeneration partnership project, 3GPP) authentication credential for auser equipment (user equipment, UE); and registering and maintaining anetwork element that currently serves the UE.

The AUSF is configured to perform security authentication on the UE whenthe UE accesses a network.

The terminal device may also be referred to as a user equipment. Theterminal device in this disclosure may be a device with a wirelesstransceiver function, and may communicate with one or more core network(core network, CN) devices (or may also be referred to as a core device,for example, a gNB) via an access network device (or may also bereferred to as an access device) in a radio access network (radio accessnetwork, RAN). Optionally, the terminal device may also be referred toas an access terminal, a terminal, a subscriber unit, a subscriberstation, a mobile station, a remote station, a remote terminal, a mobiledevice, a user terminal, a wireless network device, a user agent, a userapparatus, or the like. Optionally, the terminal device may be deployedon land, including indoors or outdoors, handheld, or vehicle-mounted;may alternatively be deployed on the water surface (such as a ship); ormay alternatively be deployed in the air (for example, on an aircraft, aballoon, a satellite, and the like). Optionally, the terminal device maybe a handheld device with a wireless communication function, anin-vehicle device, a wearable device, a terminal in the Internet ofThings or Internet of Vehicles, a terminal in any form in a 5G networkor a future network, or the like. This is not limited in thisdisclosure.

The access network device may be a device that can communicate with theterminal device. The access network device may be any device with awireless transceiver function. The access network device may be a basestation, an access point, or a transmission reception point(transmission reception point, TRP), or may be a device that is in anaccess network and that communicates with the terminal device on an airinterface by using one or more cells (cell), or the like. This is notlimited in this disclosure. For example, the base station may be anevolved NodeB (evolved NodeB, eNB, or eNodeB) in LTE, a relay station,an access point, a next generation base station (next generation, gNB)in a 5G network, or the like. It may be understood that the base stationmay alternatively be a base station or the like in a future evolvedpublic land mobile network (public land mobile network, PLMN).Optionally, the access network device may alternatively be an accessnode, a wireless relay node, a wireless backhaul node, or the like in awireless local area network (wireless fidelity, Wi-Fi) system.Optionally, the access network device may alternatively be a radiocontroller in a cloud radio access network (cloud radio access network,CRAN) scenario.

As described in the background, the currently used authentication methodcannot defend against the man-in-the-middle attacks very well. As aresult, it is necessary to study a solution that can defend against theman-in-the-middle attacks better. The following first describes aman-in-the-middle attack mode and describes two specificman-in-the-middle attacks with reference to the accompanying drawings.

In a man-in-the-middle attack model, an attacker acts as a maliciousrelay, mainly including a rogue base station (corresponding to an accessnetwork device) and rogue user equipment (corresponding to a terminaldevice) and having a capability of intercepting and sending a radiosignal of a specific frequency. The two specific man-in-the-middleattacks are: a transparent forwarding attack and a user locationspoofing attack.

FIG. 2A is a schematic diagram of a man-in-the-middle transparentforwarding attack according to an embodiment of this disclosure. Asshown in FIG. 2A, the rogue base station and the rogue user equipmenttransparently forward authentication signaling between an authorizeduser equipment (that is, the authorized user equipment) and anauthorized base station (that is, the authorized base station). Therogue base station successfully passes authentication of the authorizeduser equipment. After the authorized user equipment successfullyaccesses the rogue base station, the rogue base station can choose todiscard some uplink or downlink messages to cause a DoS of the user,leak user privacy, and tamper with a DNS message to direct the user to amalicious website or the like.

FIG. 2B is a schematic diagram of a location spoofing attack accordingto an embodiment of this disclosure. As shown in FIG. 2B, a rogue basestation and rogue user equipment are respectively in differentgeographical locations. The rogue base station is in a location A, andthe rogue user equipment is in a location B. A visiting network coveredby the geographical location A is different from that covered by thegeographical location B. An authorized user equipment of the visitingnetwork A successfully accesses a visiting network B through aman-in-the-middle, and an operator (corresponding to an authorized basestation) considers that the user equipment is in the location B.

As a prerequisite of a man-in-the-middle attack, a communication linkneeds to be established between the rogue base station and theauthorized user equipment. Correspondingly, a communication link alsoneeds to be established between the rogue user equipment and theauthorized base station. The following describes a process in which therogue user equipment establishes an RRC connection to the authorizedbase station and a process in which the rogue base station establishesan RRC connection to the authorized user equipment, and describes howthe rogue base station and the rogue user equipment access acommunication system of the authorized user equipment and the authorizedbase station with reference to the accompanying drawings.

The rogue user equipment first intercepts a synchronization signalperiodically broadcast by the authorized base station, to obtain systeminformation. The system information includes parameters required forprocesses such as cell access, camping, and reselection of the userequipment. System information of a cell is the same for all userequipments. Therefore, the system information does not involve higherlayer encryption, and is sent in plain text. Due to openness ofstandards, the rogue user equipment may also decode all systeminformation of the cell. Specifically, the system information includes amaster information block (master information block, MIB) and a systeminformation block (system information block, SIB). The MIB includes a“parameter” field, indicating whether a current cell allowsintervention, and the SIB includes parameters related to a random accessprocess. The rogue user equipment initiates a random access request tothe authorized base station based on the SIB, and establishes an RRCconnection to the authorized base station.

The rogue base station tampers with the “parameter” field in the MIBthrough the system information intercepted by the rogue user equipment,to cause the tampered-with “parameter” field to indicate that a statusof a current authorized cell is “disabled”, and the authorized userequipment considers that the current authorized cell is rejected foraccess, and excludes the cell from a candidate range of cell selectionand reselection. In addition, the rogue base station sets a frequencyand a proper transmit power of the rogue base station based on cellselection related information included in the system information, suchas a frequency priority, to induce the authorized user equipment to handover to the rogue base station, and establish an RRC connection to theauthorized user equipment.

After the rogue base station and the rogue user equipment establishstable communication links (that is, RRC connections) to the authorizeduser equipment and the authorized base station respectively, the roguebase station and the rogue user equipment transparently forward realauthentication information between the authorized user equipment and theauthorized base station to facilitate authentication. Finally, the roguebase station and the rogue user equipment successfully access thecommunication system.

The following describes some solutions used to defend againstman-in-the-middle attacks.

Physical-Layer Authentication Solution:

When the rogue base station and the rogue user equipment use atransparent forwarding attack manner, a principle of the physical-layerauthentication solution is based on a difference between different radiolink channel environments. FIG. 3 is a schematic diagram of aphysical-layer authentication solution. As shown in FIG. 3 , a channelbetween an authorized user equipment and a man-in-the-middle (namely, arogue base station), that is, a channel 1, and a channel between aman-in-the-middle (namely, rogue user equipment) and an authorized basestation, that is, a channel 2 have a location decorrelation. Main stepsof the physical-layer authentication solution are generalized asfollows:

-   -   (1) The authorized user equipment performs channel estimation by        using a reference signal disclosed at a bottom layer, and        embodies a channel estimation result in authentication        signaling.    -   (2) The authorized base station performs channel estimation by        using the reference signal disclosed at the bottom layer.    -   (3) The authorized base station determines, based on the channel        estimation result sent by the user equipment and a local channel        estimation result, whether a man-in-the-middle attack exists.

In step (3), when a man-in-the-middle attack exists, the channel 1 andthe channel 2 do not correlate. When no man-in-the-middle attack exists,the channel estimation results of the authorized user and the basestation have a correlation. As shown in FIG. 3 , an attacker performstransparent forwarding/location spoofing. Based on the physical-layerauthentication solution, the authorized user equipment estimates thechannel 1, to obtain characteristic information CSI_(down1) of adownlink channel between the rogue base station and the authorized user.The authorized base station estimates the channel 2, to obtaincharacteristic information CSI_(up2) of an uplink channel between therogue user equipment and the authorized base station. In thephysical-layer authentication solution, because the channel 1 and thechannel 2 have the location decorrelation, that is, CSI_(down1) andCSI_(up2) do not correlate, a correlation between the characteristicinformation of the uplink channel and the characteristic information ofthe downlink channel is lower than a preset threshold. Therefore, it isconsidered that a signaling source is unauthorized, and aman-in-the-middle attack exists. However, the physical-layerauthentication solution cannot defend against a channel manipulationattack, that is, a channel manipulation attack carried out by anattacker based on a transparent forwarding/location spoofing attack. Asshown in FIG. 3 , based on the physical-layer authentication solution,the authorized user equipment estimates the channel 1 by using the pilotdisclosed at the bottom layer, to obtain the state informationCSI_(down1) of the downlink channel between the rogue base station andthe authorized user equipment. The authorized base station estimates thechannel 2 by using the pilot disclosed at the bottom layer, to obtainthe state information CSI_(up2) of the uplink channel between the rogueuser equipment and the authorized base station. In addition, because thedisclosed pilot is also known to the attacker, the rogue base stationand the rogue user equipment also perform channel estimation, to obtainstate information CSI_(down2) of the channel 1 and state informationCSI_(up1) of the channel 2, where CSI_(down1)≈CSI_(up1), andCSI_(down2)≈CSI_(up2). The attacker performs channel manipulation basedon a transparent forwarding/location attack, so that

_(up2)≈

_(down1) after the manipulation, that is,

_(up2) and

_(down1) have a correlation. Therefore, channel parameter verificationsucceeds.

Home Domain Enhancement Solution:

The home domain enhancement solution is mainly based on a method fordetermining an authentication interval of different service networks,and specific steps are as follows:

-   -   (1) An AUSF notifies a UDM of time and a result of an        authentication process, where the time and the result should        include an SUPI, an authentication timestamp, an authentication        type, and a visiting network name.    -   (2) The UDM stores an authentication status of a user. The        authentication status should include the SUPI, the        authentication timestamp, the authentication type, and the        visiting network name.    -   (3) The UDM replies to an authentication result of a home domain        of the AUSF by using Nudm_UEAuthentication_ResultConfirmation        Response signaling.

In step 3, the UDM detects location spoofing and completes protectionbased on a specific method used by the operator. For example, a homenetwork records time of last successful authentication of the user and acorresponding visiting network. When authentication requests fromdifferent visiting networks reach the home domain, the home networkdetermines whether the user has plenty of time to arrive at a newvisiting network.

Based on the foregoing method, it is assumed that a user registers witha visiting network in a geographical location A, and then registers witha visiting network in a location B with the same SUPI several minuteslater. If the location A and the location B are extremely far away, thehome network considers that the registration fails even if theAuthentication Response is correct.

The home domain enhancement solution mainly has the followingdisadvantages: 1. A location spoofing attack in a same visiting networkcannot be detected. 2. When the authentication interval is long,location spoofing of a visiting network cannot be detected successfully.FIG. 4 is a schematic diagram of a location spoofing attack in a samevisiting network. As shown in FIG. 4 , an authorized user equipment, anattacker, and an authorized base station are located in a same visitingnetwork, and the attacker launches a transparent forwarding attack. Inthe home domain enhancement solution, because an authentication requestforwarded by the attacker and a previous authentication request are fromthe same visiting network, the home domain considers the authenticationsuccessful. FIG. 5 is a schematic diagram of location spoofing attacksin different networks. As shown in FIG. 5 , an authorized user equipmentresides on a same visiting network for a long time, and an attackerlaunches a transparent forwarding/location spoofing attack. In the homedomain enhancement solution, because two times of authentication arefrom different visiting networks, a home domain compares an intervalΔT=T₂−T₁ between the two times of authentication with a preset thresholdT_(Threshold). When ΔT>T_(Threshold), this solution does not work.

Through research, it is found that a reason for the security problem(that is, the man-in-the-middle attack can be implemented) is that theauthorized base station cannot determine a source of signaling in anauthentication process. Currently, two-way authentication is usuallycompleted by determining whether a user equipment and a base station areauthorized by verifying whether a parameter satisfies a preset matchingcondition, but how an exchanged signaling flow arrives cannot bedetected and determined. Therefore, an attacker does not need to knowspecific content of interaction information but only needs totransparently forward the interaction information. The authenticationprocess can still pass. Encryption and integrity protection cannotdefend against a transparent forwarding attack. This disclosure providesan authentication solution that can effectively defend against aman-in-the-middle attack. A main principle is to determine whether asource of signaling of an access network device (for example, a basestation) in an authentication process is authorized, that is, whetherthe signaling is from an authorized user equipment. An aspect of theauthentication solution provided in this disclosure is that theauthentication and home domain control processes are improved, andphysical-layer channel information as an authentication parameter isintegrated in the authentication and home domain control processes.Performing attack detection by comparing a correlation or consistencybetween uplink channel state information and downlink channel stateinformation can defend against transparent forwarding and locationspoofing attacks in man-in-the-middle attacks. Another aspect of theauthentication solution provided in this disclosure is that channelestimation is performed by using an encrypted reference signal, todefend against a channel manipulation attack and prevent an attackerfrom stealing data. Further, this disclosure further provides a solutionfor transmitting encrypted reference signals of different securitylevels based on different security modes, to ensure that securityrequirements of different scenarios are satisfied. The followingdescribes an authentication method provided in this disclosure withreference to the accompanying drawings.

FIG. 6 is a diagram of an interaction process of an authenticationmethod according to an embodiment of this disclosure. As shown in FIG. 6, the interaction procedure of the method includes:

601: A terminal device receives a first received encrypted referencesignal from an access network device.

The first received encrypted reference signal includes a signal receivedby the terminal device when a first sent encrypted reference signal sentby the access network device is transmitted through a channel. The firstsent encrypted reference signal is obtained by using a pilot key and afirst reference signal. The pilot key is obtained by using a private keyof the terminal device and a public key on a network device side.Alternatively, the pilot key is obtained by using a private key on thenetwork device side and a public key of the terminal device

That a terminal device receives a first received encrypted referencesignal may be: The terminal device receives an authentication requestsent by the access network device, where the authentication requestcarries the first received encrypted reference signal. After receivingthe authentication request, the terminal device may obtain the firstreceived encrypted reference signal from the authentication request. Ina possible implementation, before receiving the authentication request,the terminal device receives first indication information from theaccess network device, where the first indication information indicatesa location of the first received encrypted reference signal that is inthe authentication request and that is to be received by the terminaldevice. After receiving the authentication request, the terminal deviceobtains the first received encrypted reference signal from theauthentication request based on the first indication information. Thefirst indication information may include a first encrypted referencesignal index, and the index indicates a location of the first receivedencrypted reference signal in the authentication request. The firstindication information may further include at least one of thefollowing: a first encrypted reference signal type, a first encryptedreference signal length, a first encrypted activation indication, and afirst security mode indication. The first encrypted reference signaltype is a type of the first received encrypted reference signal. Thefirst encrypted reference signal length indicates a length of the firstreceived encrypted reference signal. The first encryption activationindication indicates the access network device to send an unencryptedreference signal or an encrypted reference signal. The first securitymode indication indicates an encryption manner of the first receivedencrypted reference signal. The first encrypted reference signal typemay be a DM-RS, a CSI-RS, an SRS, or the like. The first encryptedreference signal length indicates a length of the first receivedencrypted reference signal. For example, if the length of the firstencrypted reference signal is K, it indicates that the encryptedreference signal to be sent by the access network device occupies Kbits, and K is an integer greater than 1. If the length of the firstencrypted reference signal is F, it indicates that the encryptedreference signal to be sent by the access network device occupies Fbits, and F is an integer greater than 1. The first security modeindication may indicate an encryption manner used for an encryptedreference signal to be sent by the access network device. For example,when the first security mode indication is 0, the encrypted referencesignal to be sent by the access network device includes at least twosame first encrypted sequences, and the first encrypted sequence isobtained by encrypting the first reference signal using the pilot key.For another example, when the first security mode indication is 1, theencrypted reference signal to be sent by the access network deviceincludes a hash chain, and the hash chain includes at least two binarysequences. A first binary sequence in the hash chain is a secondencrypted sequence, and the second encrypted sequence is obtained byencrypting the first reference signal using the pilot key. The firstencryption activation indication may indicate whether the access networkdevice sends an encrypted reference signal or an unencrypted referencesignal. In some communication scenarios with a low security requirement,the first encryption activation indication indicates the access networkdevice to send an unencrypted reference signal, for example, a DM-RS. Insome communication scenarios with a high security requirement, the firstencryption activation indication indicates the access network device tosend an encrypted reference signal (for example, the first sentencrypted reference signal).

602: The terminal device performs channel estimation by using the firstreceived encrypted reference signal and the first sent encryptedreference signal, to obtain downlink channel state information.

The downlink channel state information may represent a status that is ofa downlink channel and that is obtained by performing channel estimationby the terminal device. The downlink channel state information includesbut is not limited to a received signal strength, a channel impulseresponse, a channel frequency response, a received signal envelope, orthe like. A possible implementation of step 602 is as follows: Theterminal device performs channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain a downlink channel estimation value; and uses firststrength characteristic information and first phase characteristicinformation that are extracted based on the downlink channel estimationvalue as the downlink channel state information. The terminal device mayperform channel estimation by using a least square method, a minimummean square error method, or the like. The least square method is usedas an example. It is assumed that a frequency domain responsecorresponding to a first sent encrypted reference signal PRS generatedby an access network device (for example, a base station) is X(k), and kis a subcarrier sequence number. Because the terminal device encryptsthe first reference signal by using the pilot key K_(s) to obtain thePRS, X(k) is known to the terminal device. Assuming that a frequencydomain response of an encrypted reference signal (that is, a firstreceived encrypted reference signal) received by the terminal device isY(k), a formula for performing channel estimation by the terminal deviceto obtain a downlink channel estimation value is as follows:

$\begin{matrix}{{H_{down}(k)} = {\frac{Y(k)}{X(k)} = {{❘{H_{down}(k)}❘}e^{j{\theta_{down}(k)}}}}} & (1)\end{matrix}$

where H_(down)(k) represents the downlink channel estimation value.

The terminal device extracts the first strength characteristicinformation |H_(down)(k)| and the first phase characteristic informationθ_(down)(k) based on the downlink channel estimation value as thedownlink channel state information CSI_(down). An extraction formula isas follows:

|H _(down)(k)|=√{square root over (real(H _(down)(k))²+imag(H_(down)(k))²)}  (2)

θ_(down)(k)=arctan(imag(H _(down)(k))/real(H _(down)(k)))  (3)

where |H_(down)(k)| represents the first intensity characteristicinformation, and θ_(down)(k) represents the first phase characteristicinformation.

In this implementation, the strength characteristic information and thephase characteristic information are extracted by using the downlinkchannel estimation value, so that downlink channel state informationthat accurately represents a downlink channel state can be obtained.

603: The terminal device sends first information to the access networkdevice.

the first information includes the downlink channel state information.That the terminal device sends first information to the access networkdevice may be: The terminal device sends an authentication response tothe access network device, where the authentication response includesthe downlink channel state information.

In this embodiment of this disclosure, the terminal device performschannel estimation by using the first received encrypted referencesignal and the first sent encrypted reference signal, to obtain thedownlink channel state information, to effectively defend againstman-in-the-middle attacks.

FIG. 7 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure. The methodinteraction process in FIG. 7 is a refinement and improvement of themethod interaction process in FIG. 6 . As shown in FIG. 7 , theinteraction procedure of the method includes:

701: A terminal device generates a shared key by using a private key ofthe terminal device and a public key on a network device side.

The shared key K_(m) may be derived from the public key K_(p) ^(HN) onthe network device side and the private key K_(s) ^(UE) of the terminaldevice (that is, on the terminal device side): K_(m)=derive(K_(p) ^(HN),K_(s) ^(UE)), and derive(⋅) is a key derivation method. The terminaldevice may derive the shared key by using the private key of theterminal device and the public key on the network device side. It shouldbe understood that the terminal device may use any key derivation methodto generate the shared key by using the private key of the terminaldevice and the public key on the network device side.

After generating the shared key, the terminal device may further performthe following operations: The terminal device symmetrically encrypts anSUPI by using the shared key, to obtain an SUPI; and the terminal devicesends a registration request to an access network device, where theregistration request carries the SUPI and a public key of the terminaldevice.

702: The terminal device performs a one-way hash operation on the sharedkey, to obtain a pilot key.

The terminal device may perform a one-way hash function operation on theshared key K_(m) to obtain the pilot key K_(s), that is,K_(s)=hash(K_(m)), and hash (⋅) is a hash function, and may obtain apilot key of a required length.

703: The terminal device receives an authentication request.

The authentication request carries a first received encrypted referencesignal. A sequence in which the terminal device performs step 703 andstep 702 is not limited. In other words, the terminal device may firstperform step 702, or may first perform step 703.

704: The terminal device encrypts a first reference signal by using thepilot key, to obtain a first sent encrypted reference signal.

The first sent encrypted reference signal is obtained by encrypting thefirst reference signal using the pilot key. Alternatively, the firstsent encrypted reference signal includes at least two same firstencrypted sequences. The first encrypted sequence is obtained byencrypting the first reference signal using the pilot key.Alternatively, the first sent encrypted reference signal includes a hashchain, and the hash chain includes at least two binary sequences. Afirst binary sequence in the hash chain is a second encrypted sequence.The second encrypted sequence is obtained by encrypting the firstreference signal using the pilot key. A process in which the terminaldevice encrypts the first reference signal by using the pilot key and aformat of the first sent encrypted reference signal are described indetail in subsequent accompanying drawings.

705: The terminal device performs channel estimation by using the firstreceived encrypted reference signal and the first sent encryptedreference signal, to obtain downlink channel state information.

An implementation of step 705 may be the same as an implementation ofstep 602. In some embodiments, the terminal device may furtherdemodulate the authentication request by using the downlink channelstate information, to obtain information carried in the authenticationrequest.

706: The terminal device sends an authentication response to the accessnetwork device.

The authentication response may include the downlink channel stateinformation and a second sent encrypted reference signal, and the secondsent encrypted reference signal is obtained by using the pilot key and asecond reference signal. The second reference signal may be a DM-RS, anSRS, or the like.

In this embodiment of this disclosure, the terminal device performschannel estimation by using the encrypted reference signal, to defendagainst a channel operation attack.

In some embodiments, the terminal device and the access network devicemay pre-agree on a used encrypted reference signal, for example, a firstsent encrypted reference signal. Specifically, the terminal deviceconsiders a reference signal in any signal sent by the access networkdevice as the first sent encrypted reference signal by default. Forexample, the terminal device and the access network device pre-agreethat the signal sent by the access network device carries the first sentencrypted reference signal, and the terminal device performs channelestimation by using the first sent encrypted reference signal (known)and a signal received by the terminal device when the first sentencrypted reference signal is transmitted through a channel. In someother embodiments, the access network device may send indicationinformation (for example, first indication information) before sendingthe encrypted reference signal (for example, the first sent encryptedreference signal). The indication information may be a semi-staticconfiguration instruction, for example, RRC signaling or Media AccessControl signaling, or may be dynamic indication signaling, for example,DCI. Similarly, the terminal device may send indication information (forexample, second indication information) before sending the encryptedreference signal (for example, the second sent encrypted referencesignal). The indication information may be a semi-static configurationinstruction, for example, RRC signaling or Media Access Controlsignaling, or may be dynamic indication signaling, for example, UCI. Thefollowing uses DCI as an example to describe a manner in which theaccess network device indicates, by using indication information, alocation of an encrypted reference signal in a to-be-sent signal (forexample, an authentication request) of the access network device.

FIG. 8 is a schematic diagram of a signal flow according to anembodiment of this disclosure. FIG. 8 shows a signal flow sent by anaccess network device. The signal flow corresponds to a plurality ofsubframes, and each subframe is 1 ms. As shown in FIG. 8 , in a samesubframe, the access network device first sends DCI (corresponding tofirst indication information) through a physical downlink controlchannel (physical downlink control channel, PDCCH), and then sends anauthentication request through a physical downlink shared channel(physical downlink shared channel, PDSCH). The DCI sent by the accessnetwork device through the PDCCH includes an unencrypted DM-RS, and theauthentication request sent by the access network device through thePDSCH includes an encrypted DM-RS. A terminal device may perform channelestimation by using the unencrypted DM-RS in the DCI, and performdemodulation to obtain indication information (that is, a DCI indicationin FIG. 8 ) in the DCI. Then, the terminal device obtains the encryptedDM-RS (corresponding to a first sent encrypted reference signal) in theauthentication request based on the indication information in the DCI.Finally, the terminal device performs channel estimation and demodulatesthe authentication request by using the known encrypted DM-RS. Becauseboth the access network device and the terminal device may learn of aparameter corresponding to an unencrypted demodulation reference signal,after the terminal device obtains the indication information in the DCI,the terminal device may generate an encrypted demodulation referencesignal based on the indication information. When an attacker exists,even if the attacker can intercept the parameter corresponding to theunencrypted demodulation reference signal, the attacker cannot know theencrypted demodulation reference signal because the attacker does notknow a pilot key. Therefore, the attacker cannot perform channelestimation, and cannot demodulate signals transmitted through the PDSCHfor interception either. It should be understood that the DCI is anexample of dynamic indication signaling, and the DM-RS is an example ofa reference signal. In an actual downlink transmission scenario, theaccess network device may use any dynamic indication signaling, or mayuse another reference signal. It should be understood that a solutionfor indicating an encrypted reference signal in an uplink transmissionscenario is the same as a solution for indicating an encrypted referencesignal in a downlink transmission scenario. Details are not describedherein again.

The foregoing embodiments do not describe a process in which the accessnetwork device generates the first sent encrypted reference signal and aprocess in which the terminal device generates the second sent encryptedreference signal. A process in which the access network device generatesthe first sent encrypted reference signal and a process in which theterminal device generates the second sent encrypted reference signal aredescribed below with reference to the accompanying drawings.

FIG. 9 is a flowchart of generating an encrypted reference signalaccording to an embodiment of this disclosure. A left half diagram inFIG. 9 shows a process in which a terminal device generates a secondsent encrypted reference signal, and a right half diagram in FIG. 9shows a process in which an access network device generates a first sentencrypted reference signal. In FIG. 9 , K_(m) represents a shared key,K_(s) represents a pilot key, PRS2 represents a second sent encryptedreference signal, PRS1 represents a first sent encrypted referencesignal, and the access network device and the terminal device know areference signal used by each other. In some embodiments, referencesignals used by the access network device and the terminal device arethe same, and manners of encrypting the reference signals are also thesame. Therefore, the PRS1 and the PRS2 are the same. In someembodiments, reference signals used by the access network device and theterminal device are different, or manners of encrypting the referencesignals are different. Therefore, the PRS1 and the PRS2 are different.

As shown in FIG. 9 , the process in which the terminal device generatesthe second sent encrypted reference signal includes:

-   -   (1) The terminal device performs a one-way hash function        operation on the shared key K_(m) to obtain the pilot key K_(s).    -   K_(s)=hash(K_(m)), and hash(⋅) is a hash function.    -   (2) The terminal device encrypts a second reference signal by        using the pilot key K_(s), to obtain the second sent encrypted        reference signal.

The terminal device may use any encryption algorithm to encrypt thesecond reference signal by using the pilot key K_(s). For example, thesecond sent encrypted reference signal PRS2=E_(AES)(RS2), E_(AES( )) isan AES encryption algorithm, and RS2 represents the second referencesignal. For example, the unencrypted second reference signal is a Goldpseudo-random sequence, that is, a sequence in a form of binary bits 0and 1, and therefore the PRS2 encrypted by using the AES should be a newbinary sequence.

As shown in FIG. 9 , the process in which the access network devicegenerates the first sent encrypted reference signal includes: The accessnetwork device encrypts a first reference signal by using the pilot keyK_(s), to obtain the first sent encrypted reference signal PRS1. In apossible implementation, the access network device first generates ashared key by using a private key on a network device side and a publickey of the terminal device, and then performs a one-way hash functionoperation on the shared key to obtain the pilot key K_(s). In a possibleimplementation, the access network device receives the pilot keydelivered by a UDM. The access network device may encrypt the firstreference signal by using any encryption algorithm, for example, an AESencryption algorithm in this embodiment of this disclosure, and thepilot key K_(s), to generate a first sent encrypted reference signalPRS1=E_(AES)(RS1), where E_(AES( )) is the AES encryption algorithm, andRS1 represents the first reference signal. For example, the unencryptedRS1 is a Gold pseudo-random sequence, that is, a sequence in a form ofbinary bits 0 and 1, and therefore the PRS1 encrypted by using the AESshould be a new binary sequence.

In this disclosure, the first sent encrypted reference signal (or thesecond sent encrypted reference information) may be obtained byencrypting any existing reference signal. This disclosure provides twoencrypted reference signals in longer formats, to be applicable tocommunication scenarios with different security requirements. Thefollowing describes several possible formats of the first sent encryptedreference signal (or the second sent encrypted reference information).

Format 1

The first sent encrypted reference signal is obtained by encrypting thefirst reference signal using the pilot key. FIG. 10A is a schematicdiagram of a first sent encrypted reference signal according to anembodiment of this disclosure. As shown in FIG. 10A, PRS1=E_(AES)(RS1),PRS1 represents a first sent encrypted reference signal, RS1 representsa first reference signal (for example, a DM-RS or a CSI-RS), andE_(AES( )) is an AES encryption algorithm. The first reference signalmay be a binary sequence (for example, a rogue random sequence), thatis, a sequence in a form of binary bits 0 and 1, and the first sentencrypted reference signal is a binary sequence.

Format 2

The first sent encrypted reference signal includes at least two samefirst encrypted sequences, and the first encrypted sequence is obtainedby encrypting the first reference signal using the pilot key. The firstencrypted sequence may be a binary sequence obtained by encrypting thefirst reference signal by using an encryption algorithm and using thepilot key as a key. For example, RS1 represents the first referencesignal (a binary sequence), PRS1 represents the first encryptedsequence, and PRS1=E_(AES)(RS1); and E_(AES( )) is the AES encryptionalgorithm. FIG. 10B is a schematic diagram of another first sentencrypted reference signal according to an embodiment of thisdisclosure. As shown in FIG. 10B, the PRS1 includes an E_(AES)(RS1)₁, anE_(AES)(RS1)₂, . . . , and an E_(AES)(RS1)₁, the PRS1 represents a firstsent encrypted reference signal, E_(AES)(RS1)₁, E_(AES)(RS1)₂, . . . ,and E_(AES)(RS1)₁ are all first encrypted sequences, and RS1 representsa first reference signal (a binary sequence). In other words, the firstsent encrypted reference signal includes i first encrypted sequences,and i is an integer greater than 1.

Format 3

the first sent encrypted reference signal includes a hash chain, thehash chain includes at least two binary sequences, a first binarysequence in the hash chain is a second encrypted sequence, and thesecond encrypted sequence is obtained by encrypting the first referencesignal using the pilot key. FIG. 10C is a schematic diagram of anotherfirst sent encrypted reference signal according to an embodiment of thisdisclosure. As shown in FIG. 10C, the PRS1 includes a hash chain:hash₁(E_(AES)(RS1)), hash₂(E_(AES)(RS1)), . . . , andhash_(f)(E_(AES)(RS1)), hash₁(E_(AES)(RS1)) represent a first binarysequence in the hash chain, hash_(f)(E_(AES)(RS1)) represents a lastbinary sequence in the hash chain, f is an integer greater than 1, PRS1represents a first sent encrypted reference signal, and RS1 represents afirst reference signal. A non-first binary sequence in the hash chainmay satisfy the following formula:

hash_(i)(E _(AES)(RS))=hash₁ ^(i-1)(E _(AES)(RS))  (4)

where hash_(i)(E_(AES)(RS)) represents an i^(th) binary sequence in thehash chain, hash₁ ^(i-1)(E_(AES)(RS)) represents a binary sequenceobtained by performing (i−1) times of hash operations on a first binarysequence E_(AES)(RS) in the hash chain, and i is an integer greater than1.

By comparing FIG. 10A, FIG. 10B, and FIG. 10C, a length of format 1 isless than a length of format 2 and a length of format 3. It should beunderstood that a terminal device may occupy fewer bits by using thefirst sent encrypted reference signal in format 1. Compared with thefirst sent encrypted reference signal in format 2, the first sentencrypted reference signal in format 3 has higher security. Whendetecting that a block does not satisfy the hash chain, a receive end(the terminal device or an access network device) considers that atampering attack exists. It should be understood that a solution(namely, format 2) in which the first sent encrypted reference signalincludes at least two same first encrypted sequences is applicable to ascenario with a low security requirement; and a solution (namely, format3) in which the first sent encrypted reference signal includes a hashchain is applicable to a scenario with a high security requirement.

A format of the second sent encrypted reference signal is similar to orthe same as a format of the first sent encrypted reference information.The first sent encrypted reference signal is obtained by using a pilotkey and a first reference signal. The second sent encrypted referencesignal is obtained by using a pilot key and a second reference signal.It should be understood that if the first reference signal is the sameas the second reference signal, the first sent encrypted referencesignal is the same as the second sent encrypted reference signal.

In actual application, the terminal device may work in at least twosecurity modes with different security, for example, the first securitymode and the second security mode. When the terminal device works indifferent security modes, sent signals carry encrypted reference signalsin different formats. Correspondingly, the access network device mayalso work in at least two security modes with different security, forexample, the first security mode and the second security mode. Theterminal device may freely switch between different security modes, forexample, switch from the first security mode to the second security modeor switch from the second security mode to the first security mode. Theaccess network device may indicate, to the terminal device by using thedownlink control information, a security mode in which the accessnetwork device works.

When the terminal device works in different security modes, encryptedreference signals in different formats may be generated. In a possibleimplementation, before the terminal device performs channel estimationby using the first received encrypted reference signal and the firstsent encrypted reference signal, the method further includes: Theterminal device generates, when working in a first security mode, thefirst sent encrypted reference signal including at least two same firstencrypted sequences. The first encrypted sequence is obtained byencrypting the first reference signal using the pilot key. The terminaldevice generates, when working in the second security mode, the firstsent encrypted reference signal that includes a hash chain. The hashchain includes at least two binary sequences, and a first binarysequence in the hash chain is a second encrypted sequence. The secondencrypted sequence is obtained by encrypting the first reference signalusing the pilot key. Security of the first security mode is lower thansecurity of the second security mode.

For example, when being in the first security mode (corresponding to alow-level security mode), the terminal device generates a first sentencrypted reference signal (corresponding to a reference signal sent bythe access network device) that includes at least two same firstencrypted sequences, and performs channel estimation by using the firstsent encrypted reference signal. When switching to the second securitymode (corresponding to a high-level security mode), the terminal devicegenerates a first sent encrypted reference signal (corresponding to areference signal sent by the access network device) that includes a hashchain, and performs channel estimation by using the first sent encryptedreference signal (including the hash chain).

In a possible implementation, before the terminal device receives thefirst received encrypted reference signal (corresponding to anauthentication request), the method further includes: The terminaldevice receives first indication information, where the first indicationinformation indicates a location of the first received encryptedreference signal that is in the second information (for example, theauthentication request) and that is to be received by the terminaldevice. The first indication information may include a first encryptedactivation indication, and the first encryption activation indicationindicates the access network device to send an unencrypted referencesignal or an encrypted parameter signal. For example, when the firstencrypted activation indication in the first indication information is0, the first encrypted activation indication indicates the accessnetwork device to send an unencrypted reference signal. For anotherexample, when the first encrypted activation indication in the firstindication information is 1, the first encrypted activation indicationindicates the access network device to send an encrypted referencesignal. The first indication information may include a first securitymode indication, and the first security mode indication indicates anencryption manner of the first received encrypted reference signal. Forexample, when the first security mode indication in the first indicationinformation indicates an encryption manner 0, the terminal devicegenerates the first sent encrypted reference signal in format 2. Foranother example, when the first security mode indication in the firstindication information indicates an encryption manner 1, the terminaldevice generates the first sent encrypted reference signal in format 3.The first encryption activation indication and the first security modeindication in the first indication information may be used together. Forexample, when the first encrypted activation indication in the firstindication information is 0, the first encrypted activation indicationindicates the access network device to send an unencrypted referencesignal, and the terminal device does not consider the first securitymode indication. For another example, when the first encryptionactivation indication in the first indication information is 1 and thefirst security indication is 0, the access network device sends theencrypted reference signal in format 2. For another example, when thefirst encryption activation indication in the first indicationinformation is 1 and the first security indication is 1, the accessnetwork device sends the encrypted reference signal in format 3. Thefirst indication information may further include a first encryptedreference signal type and/or a first encrypted reference signal length.The first encrypted reference signal type is a type of the firstreceived encrypted reference signal. The first encrypted referencesignal length indicates a length of the first received encryptedreference signal.

When the access network device works in different security modes,encrypted reference signals in different formats may be generated. In apossible implementation, the access network device generates, whenworking in a first security mode, the first sent encrypted referencesignal including at least two same first encrypted sequences. The firstencrypted sequence is obtained by encrypting the first reference signalusing the pilot key. The access network device generates, when workingin the second security mode, the first sent encrypted reference signalthat includes a hash chain. The hash chain includes at least two binarysequences, and a first binary sequence in the hash chain is a secondencrypted sequence. The second encrypted sequence is obtained byencrypting the first reference signal using the pilot key. Security ofthe first security mode is lower than security of the second securitymode. The access network device may send first indication information tothe terminal device, where a first security mode indication in the firstindication information indication indicates an encryption manner of thefirst received encrypted reference signal.

In actual application, a user or operation and maintenance personnel canconfigure, based on an actual requirement, a security mode in which theaccess network device works. For example, when the access network deviceis applied to a communication scenario with a high security requirement,the access network device is configured to work in the second operationmode. When the access network device is applied to a communicationscenario with a low security requirement, the access network device isconfigured to work in the first operation mode. It should be understoodthat the terminal device and the access network device may transmitencrypted reference signals of different security levels, to satisfysecurity requirements of different communication scenarios.

The foregoing describes a method process performed by the terminaldevice in an authentication process, and the following describes amethod process performed by an access network device in anauthentication process.

FIG. 11 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure. As shown in FIG.11 , the interaction procedure of the method includes:

1101: An access network device receives a second received encryptedreference signal from a terminal device.

The second received encrypted reference signal includes a signalreceived by an access network device when a second sent encryptedreference signal sent by a terminal device is transmitted through achannel, the second sent encrypted reference signal is obtained by usinga pilot key and a second reference signal, and the pilot key is obtainedby using a private key of the terminal device and a public key on anetwork device side, or the pilot key is obtained by using a private keyon the network device side and a public key of the terminal device.

That an access network device receives a second received encryptedreference signal may be: The access network device receives anauthentication response sent by the terminal device, where theauthentication response carries the second received encrypted referencesignal. The authentication response may further carry downlink channelstate information, and the downlink channel state information representsa state that is of a downlink channel and that is obtained by performingchannel estimation by the terminal device. In a possible implementation,before receiving the second received encrypted reference signal, theaccess network device receives second indication information, where thesecond indication information indicates a location of the secondreceived encrypted reference signal that is in the authenticationresponse and that is to be received by the access network device. Afterreceiving the authentication response, the access network device obtainsthe second received encrypted reference signal from the authenticationresponse based on the second indication information. The secondindication information may include a second encrypted reference signalindex, and the index indicates a location of the second receivedencrypted reference signal in the authentication response. The secondindication information further includes at least one of the following: asecond encrypted reference signal type, a second encrypted referencesignal length, a second encrypted activation indication, and a secondsecurity mode indication. The second encrypted reference signal type isa type of the second received encrypted reference signal. The secondencrypted reference signal length indicates a length of the secondreceived encrypted reference signal. The second encryption activationindication indicates the access network device to send an unencryptedreference signal or an encrypted parameter signal. The second securitymode indication indicates an encryption manner of the second receivedencrypted reference signal. The second encrypted reference signal typemay be a DM-RS, an SRS, or the like. The second encrypted referencesignal length indicates a length of the second received encryptedreference signal. For example, if the length of the second encryptedreference signal is K, it indicates that the encrypted reference signalto be sent by the access network device occupies K bits, and K is aninteger greater than 1. If the length of the second encrypted referencesignal is F, it indicates that the encrypted reference signal to be sentby the access network device occupies F bits, and F is an integergreater than 1. The second security mode indication may indicate anencryption manner of an encrypted reference signal to be sent by theaccess network device. For example, when the second security modeindication is 0, the encrypted reference signal to be sent by the accessnetwork device includes at least two same third encrypted sequences, andthe third encrypted sequence is obtained by encrypting the secondreference signal by using the pilot key. For another example, when thesecond security mode indication is 1, the encrypted reference signal tobe sent by the access network device includes a hash chain, and the hashchain includes at least two binary sequences. A first binary sequence inthe hash chain is a fourth encrypted sequence, and the fourth encryptedsequence is obtained by encrypting the second reference signal by usingthe pilot key. The second encryption activation indication may indicatewhether the terminal device sends an encrypted reference signal or anunencrypted reference signal. In some communication scenarios with a lowsecurity requirement, the second encryption activation indicationindicates the terminal device to send an unencrypted reference signal.In some communication scenarios with a high security requirement, thesecond encryption activation indication indicates the terminal device tosend an encrypted reference signal.

1102: The access network device performs channel estimation by usingsecond received encrypted reference signal and second sent encryptedreference signal, to obtain uplink channel state information.

The uplink channel state information may represent a status that is ofan uplink channel and that is obtained by performing channel estimationby the access network device. The uplink channel state informationincludes but is not limited to a received signal strength, a channelimpulse response, a channel frequency response, a received signalenvelope, or the like. A possible implementation of step 1102 is asfollows: The access network device performs channel estimation by usingthe second received encrypted reference signal and the second sentencrypted reference signal, to obtain an uplink channel estimationvalue; and uses second strength characteristic information and secondphase characteristic information that are extracted based on the uplinkchannel estimation value as the uplink channel state information. Theaccess network device may perform channel estimation by using a leastsquare method, a minimum mean square error method, or the like. In thisimplementation, the least square method is used as an example. It isassumed that a frequency domain response corresponding to a second sentencrypted reference signal PRS generated by a terminal device (forexample, a mobile phone) is X′(k), and k is a subcarrier sequencenumber. Because the access network device encrypts the second referencesignal by using the pilot key K_(s) to obtain the PRS, X′(k) is known tothe access network device. Assuming that a frequency domain response ofan encrypted reference signal (that is, a second received encryptedreference signal) received by the access network device is Y′(k), aformula for performing channel estimation by the access network deviceto obtain an uplink channel estimation value is as follows:

$\begin{matrix}{{H_{up}(k)} = {\frac{Y^{\prime}(k)}{X^{\prime}(k)} = {{❘{H_{up}(k)}❘}e^{j{\theta_{up}(k)}}}}} & (5)\end{matrix}$

where H_(up)(k) represents the uplink channel estimation value.

The access network device extracts the second strength characteristicinformation |H_(up)(k)| and the second phase characteristic informationθ_(up)(k) based on the uplink channel estimation value as the uplinkchannel state information CSI_(up). An extraction formula is as follows:

|H _(up)(k)|=√{square root over (real(H _(ip)(k))²+imag(H_(ip)(k))²)}  (6)

θ_(up)(k)=arctan(imag(H _(up)(k))/real(H _(up)(k)))  (7)

where |H_(up)(k)| represents the second intensity characteristicinformation, and θ_(up)(k) represents the second phase characteristicinformation.

In this implementation, the second strength characteristic informationand the second phase characteristic information are extracted by usingthe uplink channel estimation value, so that uplink channel stateinformation that accurately represents an uplink channel state can beobtained.

1103: The access network device sends channel authentication informationto a second network device.

The channel authentication information is for verifying whether themessage received by the access network device from the terminal deviceis valid or invalid.

That the access network device sends channel authentication informationto a second network device may be: The access network device sendssignaling (for example, Nausf_UEAuthentication_Authenticate Requestsignaling) that carries the channel authentication information to thesecond network device (for example, an AUSF), where the signaling mayfurther include a response RES*.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second received encryptedreference signal and the second sent encrypted reference signal, toobtain the uplink channel state information, to effectively defendagainst man-in-the-middle attacks.

FIG. 12 is a diagram of an interaction process of an authenticationmethod according to an embodiment of this disclosure. The methodinteraction process in FIG. 12 is a refinement and improvement of themethod interaction process in FIG. 11 . As shown in FIG. 12 , theinteraction procedure of the method includes:

1201: An access network device receives a pilot key sent by a secondnetwork device.

That an access network device receives a pilot key may be: The accessnetwork device receives signaling (for example,Nausf_UEAuthentication_Authenticate Response signaling) sent by thesecond network device (for example, an AUSF), where the signalingincludes the pilot key. Step 1201 may be replaced with: An accessnetwork device receives a shared key sent by a second network device;and the access network device performs a one-way hash operation on theshared key, to obtain a pilot key. In this disclosure, the AUSF is anetwork device that has an AUSF. Step 1201 may be replaced with: Anaccess network device generates a shared key by using a public key of aterminal device and a private key on a network device side; and performsa one-way hash operation on the shared key, to obtain a pilot key. Itshould be understood that the access network device may receive a sharedkey or a pilot key sent by another network device, or may generate ashared key or a pilot key by itself. In a possible implementation,before performing step 1201, the access network device may perform thefollowing operations: The access network device receives a registrationrequest from a terminal device, where the registration request carriesan SUCI and a public key of the terminal device. The access networkdevice may forward the SUCI and the public key of the terminal device tothe AUSF, to receive the pilot key or the shared key.

1202: The access network device encrypts a second reference signal byusing the pilot key, to obtain a second sent encrypted reference signal.

An implementation of step 1202 may be similar to an implementation ofstep 704, and details are not described herein again.

1203: The access network device sends an authentication request to theterminal device.

The authentication request (corresponding to second information) maycarry a first sent encrypted reference signal, the first sent encryptedreference signal is obtained by using a pilot key and a first referencesignal, and the pilot key is obtained by using a private key of theterminal device and a public key on a network device side, or the pilotkey is obtained by using a private key on the network device side and apublic key of the terminal device.

1204: The access network device receives an authentication response sentby the terminal device.

The authentication response (corresponding to first information) carriesa second received encrypted reference signal. The authenticationresponse may further carry downlink channel state information.

1205: The access network device performs channel estimation by using thesecond received encrypted reference signal and the second sent encryptedreference signal, to obtain uplink channel state information.

An implementation of step 1205 may be the same as an implementation ofstep 1102.

1206: The access network device demodulates the authentication responsebased on the uplink channel state information, to obtain the downlinkchannel state information.

1207: The access network device generates channel authenticationinformation based on the uplink channel state information and thedownlink channel state information.

That the access network device generates the channel authenticationinformation based on the uplink channel state information and thedownlink channel state information may be: using a correlationcoefficient or consistency between the uplink channel state informationand the downlink channel state information as the channel authenticationinformation. The correlation coefficient represents a degree ofsimilarity between the uplink channel state information and the downlinkchannel state information, and a larger correlation coefficientindicates that the uplink channel state information and the downlinkchannel state information are more similar. The access network devicegenerates the channel authentication information by calculating acorrelation or consistency between the uplink channel state informationand the downlink channel state information; and high-complexityexponential and logarithmic operations are not involved, and there is anadvantage of low computational complexity.

1208: The access network device sends the channel authenticationinformation to the second network device.

Step 1208 may be: The access network device sends signaling that carriesthe channel authentication information, for example,Nausf_UEAuthentication_Authenticate Request signaling to the secondnetwork device (for example, an AUSF). TheNausf_UEAuthentication_Authenticate Request signaling may furtherinclude a response RES*. It should be understood that, when theauthorized access network device performs data transmission with theauthorized terminal device, an uplink channel obtained by performingchannel estimation by the authorized access network device isnecessarily similar to a downlink channel obtained by performing channelestimation by the authorized terminal device. For example, if thechannel authentication information (for example, a correlationcoefficient) is greater than a preset threshold, it indicates that themessage received by the access network device from the terminal deviceis valid; otherwise, it indicates that the message received by theaccess network device from the terminal device is invalid. Therefore,the channel authentication information may be for verifying whether themessage received by the access network device from the terminal deviceis valid or invalid. If it is verified that the message received by theaccess network device from the terminal device is valid, theauthentication succeeds; otherwise, the authentication fails. Therefore,man-in-the-middle attacks can be defended against.

In this embodiment of this disclosure, the access network deviceperforms channel estimation by using the second received encryptedreference signal and the second sent encrypted reference signal, toobtain the uplink channel state information, to effectively defendagainst man-in-the-middle attacks.

In some possible implementations, the authentication solution providedin this disclosure further relates to a first network device(corresponding to a UDM) and a second network device (corresponding toan AUSF). Method processes performed by the first network device and thesecond network device in an authentication process are separatelydescribed below with reference to the accompanying drawings.

FIG. 13 is a diagram of an interaction process of another authenticationmethod according to an embodiment of this disclosure. As shown in FIG.13 , the interaction procedure of the method includes:

1301: A first network device receives channel authentication informationfrom a second network device.

The channel authentication information represents a correlation betweenan uplink channel estimated by an access network device and a downlinkchannel estimated by a terminal device. The first network device may bean access network device, or may be a network device having a UDM. Inother words, the first network device may be the foregoing accessnetwork device, or may be an independent network device.

That a first network device receives channel authentication informationmay be: The first network device receivesNudm_UEAuthentication_ResultConfirmation Request signaling, where thesignaling carries the channel authentication information. TheNudm_UEAuthentication_ResultConfirmation Request signaling may furtherinclude an SUPI, an authentication timestamp, an authentication type,and a visiting network name.

In a possible implementation, before receiving the channelauthentication information, the first network device may perform thefollowing operations: The first network device generates a shared key byusing a public key of the terminal device and a private key on a networkdevice side; and The first network device sends the shared key or apilot key to the second network device (for example, an AUSF), where thepilot key is obtained by performing a one-way hash operation on theshared key, and the pilot key or the shared key is used by the accessnetwork device to generate the channel authentication information. Thatthe first network device sends the shared key or a pilot key to thesecond network device may be: The first network device sendsNudm_UEAuthentication_Get Response signaling to the AUSF (correspondingto the second network device), where the signaling carries the sharedkey or the pilot key. The first network device may store or obtain theprivate key on the network device side, and obtain the public key of theterminal device from Nudm_UEAuthentication_Get Request signaling fromthe AUSF.

1302: The first network device verifies, based on the channelauthentication information, whether a message received by the accessnetwork device from the terminal device is valid or invalid.

The channel authentication information may include an authenticationparameter, and an implementation of step 1302 may be: The access networkdevice determines, when the authentication parameter is greater than anauthentication threshold, that the message received by the accessnetwork device from the terminal device is valid; and the access networkdevice determines, when the authentication parameter is not greater thanthe authentication threshold, that the message received by the accessnetwork device from the terminal device is invalid. The authenticationparameter is a real number greater than 0 and not greater than 1. Theauthentication threshold is a real number greater than 0 and not greaterthan 1, for example, 0.6, 0.75, 0.8, or 0.9.

In this embodiment of this disclosure, whether the message received bythe access network device from the terminal device is valid or invalidis verified based on the channel authentication information, to defendagainst a man-in-the-middle attack.

FIG. 14 is a diagram of an interaction process of an authenticationmethod according to an embodiment of this disclosure. As shown in FIG.14 , the interaction procedure of the method includes:

1401: A second network device sends a public key of a terminal device toa first network device.

The second network device may be the foregoing access network device, ormay be an independent network device that has an AUSF. That a secondnetwork device sends a public key of a terminal device to a firstnetwork device may be: The second network device sendsNudm_UEAuthentication_Get Request signaling to the first network device,where the signaling includes the public key of the terminal device.

1402: The second network device receives a shared key or a pilot keysent by the first network device.

The shared key is obtained by using the public key of the terminaldevice and a private key on a network device side, and the pilot key isobtained by performing a one-way hash operation on the shared key. Thatthe second network device receives a shared key or a pilot key sent bythe first network device may be: The second network device receivesNudm_UEAuthentication_Get Response signaling, where the signalingincludes the shared key or the pilot key.

1403: The second network device generates key information that includesthe shared key or the pilot key.

the second network device sends the key information.

1404: The second network device sends the key information to the accessnetwork device.

That the second network device sends the key information may be: Thesecond network device sends Nausf_UEAuthentication_Authenticate Responsesignaling to the access network device, where the signaling includes theshared key or the pilot key. In other words, the key information is theNausf_UEAuthentication_Authenticate Response signaling.

In a possible implementation, the method further includes: The secondnetwork device receives channel authentication information from theaccess network device; and the second network device sends the channelauthentication information to the first network device, where thechannel authentication information is for verifying whether a messagereceived by the access network device from the terminal device is validor invalid.

That the second network device receives channel authenticationinformation from the access network device may be: The second networkdevice receives Nausf_UEAuthentication_Authenticate Request signalingfrom the access network device, where the signaling includes the channelauthentication information. That the second network device sends thechannel authentication information to the first network device may be:The second network device sends Nudm_UEAuthentication_ResultConfirmationRequest signaling to the first network device, where the signalingincludes the channel authentication information.

In this embodiment of this disclosure, the second network device sendsthe key information, so that the access network device encrypts areference signal by using pilot information.

The foregoing embodiments separately describe method processes performedby the terminal device, the access network device, the first networkdevice, and the second network device in an authentication process. Theauthentication solution provided in this disclosure may be applied to anauthentication part of a plurality of communication protocols. Inaddition, the method for generating an encrypted reference signal in anauthentication process provided in this disclosure may be applied toanother physical layer. The authentication method provided in thisdisclosure may be applied to an authentication process and a home domaincontrol process in NR. The following describes an interaction processbetween a terminal device, an access network device, a first networkdevice, and a second network device in an authentication process withreference to the accompanying drawings.

FIG. 15A and FIG. 15B are diagrams of an interaction process of anauthentication method according to an embodiment of this disclosure. Asshown in FIG. 15A and FIG. 15B, the method may be applied to acommunication system that includes a terminal device, an access networkdevice, a UDM, and an AUSF. The method includes:

1501: The terminal device establishes an RRC connection to the accessnetwork device.

A possible implementation of step 1501 is as follows: The terminaldevice establishes downlink time-frequency synchronization with a cellthrough cell search, obtains a physical-layer cell identifier, thenachieves uplink synchronization by performing a random access process,and establishes an RRC connection to the access network device.

1502: The terminal device derives a shared key by using a public key ona network device side and a private key of the terminal device, andencrypts a subscription permanent identifier by using the shared key, toobtain a subscription concealed identifier.

1503: The terminal device sends a registration request to the accessnetwork device.

The registration request (registration request) carries the SUCI and apublic key of the terminal device.

1504: The access network device stores the subscription concealedidentifier, and forwards the subscription concealed identifier to theAUSF through first intermediate authentication request signaling.

The first intermediate authentication request signaling may beNausf_UEAuthentication_Authenticate Request signaling, and theNausf_UEAuthentication_Authenticate Request signaling includes thepublic key of the terminal device and the subscription concealedidentifier.

1505: The AUSF sends second intermediate authentication requestsignaling to the UDM.

The second intermediate authentication request signaling may include thepublic key of the terminal device and the subscription concealedidentifier. For example, the second intermediate authentication requestsignaling is Nudm_UEAuthentication_Get Request signaling.

1506: The UDM generates the shared key, decrypts the subscriptionconcealed identifier by using the shared key to obtain the subscriptionpermanent identifier, and performs a one-way hash function operation onthe shared key to obtain a pilot key.

The UDM may derive the shared key K_(m)=derive(K_(p) ^(UE), K_(s) ^(HN))by using the public key K_(p) ^(UE) of the terminal device and theprivate key K_(s) ^(HN) on the network device side that are received,and derive(⋅) is a key derivation method. Then, the UDM decrypts theSUCI by using the shared key to obtain the plain-text SUPI, and performsa one-way hash function operation on the shared key K_(m) to obtain thepilot key K_(s), that is, K_(s)=hash(K_(m)), and hash (⋅) is a hashfunction. The one-way hash function is implemented with the MD5, SHA-1,SHA-2, or SHA-3 algorithm.

1507: The UDM sends second intermediate authentication responsesignaling to the AUSF.

The second intermediate authentication response signaling may beresponse signaling fed back by the UDM for the second intermediateauthentication request signaling, and the second intermediateauthentication response signaling may include the pilot key. Forexample, the second intermediate authentication response signaling isNudm_UEAuthentication_Get Response signaling.

1508: The AUSF stores an expected response XRES*, calculates a hashexpected response HXRES*, and sends first intermediate authenticationresponse signaling to the access network device.

The first intermediate authentication response signaling is responsesignaling fed back by the AUSF for the first intermediate authenticationrequest, and the first intermediate authentication response signalingmay include the pilot key K_(s). For example, the first intermediateauthentication response signaling is Nausf_UEAuthentication_AuthenticateResponse signaling.

1509: The access network device generates a first sent encryptedreference signal, and sends an authentication request to the terminaldevice.

The authentication request may include the first sent encryptedreference information, that is, PRS1 in FIG. 15A and FIG. 15B. Forexample, the authentication request is Authentication Request signaling.The access network device may encrypt first reference information byusing the received pilot key, to obtain the first sent encryptedreference signal.

1510: The terminal device parses the authentication request, andcalculates a response RES*; and performs channel estimation by using thegenerated or local first sent encrypted reference signal and a receivedfirst received encrypted reference signal, and extracts downlink channelstate information.

The terminal device may perform a one-way hash function operation on theshared key K_(m) derived in step 1502 to obtain the pilot key K_(s), andthen encrypt the first reference signal by using the pilot key K_(s), togenerate the first sent encrypted reference signal. An implementation inwhich the terminal device performs channel estimation and extracts thedownlink channel state information has been described above, and detailsare not described herein again.

1511: The terminal device sends an authentication response to the accessnetwork device.

The authentication response may include a second sent encryptedreference signal (PRS2 in FIG. 15A and FIG. 15B) and the downlinkchannel state information. For example, the authentication response isAuthentication Response signaling.

1512: The access network device parses the received signal, calculates ahash response HRES*, and compares the hash response HRES* with localHXRES*; performs channel estimation by using a second received encryptedreference signal and the local second sent encrypted reference signal,and extracts uplink channel state information; and generates a channelauthentication parameter K based on the downlink channel stateinformation and the uplink channel state information.

If the comparison between HRES* and HXRES* is passed, channel estimationis performed by using the second received encrypted reference signal(that is, an encrypted reference signal received by the access networkdevice) and the local second sent encrypted reference signal. Thechannel authentication parameter K corresponds to the channelauthentication information. An implementation in which the accessnetwork device determines whether the comparison between HRES* andHXRES* is passed may be the same as that of step 9 (page 44) in Section6.1.3.2.0 5G AKA in the standard document “3GPP. Security architectureand procedures for 5G systems, TS 33.501, 2020-07.”.

1513: The access network device sends an authentication result to theAUSF by using third intermediate authentication request signaling.

The authentication result carried in the third intermediateauthentication request signaling may include the response RES* and thechannel authentication parameter K. For example,Nausf_UEAuthentication_Authenticate Request signaling.

1514: The AUSF compares the received response RES* with the localexpected response XRES*. If the comparison is passed, a next step isperformed.

1515: The AUSF sends third intermediate authentication responsesignaling to the access network device.

The third intermediate authentication response signaling is for replyingto the authentication result. For example, the third intermediateauthentication response signaling is Nausf_UEAuthentication_AuthenticateResponse signaling.

1516: The AUSF sends authentication result confirmation requestsignaling to the UDM.

The authentication result confirmation request signaling is fornotifying time and a result of an authentication process, and includesthe SUPI, an authentication timestamp, an authentication type, avisiting network name, and the channel authentication parameter K. Forexample, the authentication result confirmation request signaling isNudm_UEAuthentication_ResultConfirmation Request signaling.

1517: The UDM stores an authentication status of the terminal device,verifies an authentication time, and verifies the channel authenticationparameter.

An implementation of verifying the authentication time may be: The UDMdetermines, based on time of last successful authentication of a userequipment and a corresponding visiting network, whether the userequipment has plenty of time to arrive at a new visiting network. If itis determined that the user equipment has plenty of time to arrive atthe new visiting network, the authentication time passes theverification. A method for verifying the channel authenticationparameter K by the UDM may be: The channel authentication parameter K iscompared with a locally preset threshold K_(threshold) (that is, anauthentication threshold): If the channel authentication parameter K isgreater than the preset threshold K_(threshold), it is considered that asignaling source is authorized, no man-in-the-middle attack exists, andthe authentication succeeds. If the channel authentication parameter Kis less than the preset threshold K_(threshold), it is considered that asignaling source is unauthorized, a man-in-the-middle attack exists, andthe authentication fails.

1518: The UDM sends authentication result confirmation responsesignaling to the AUSF.

The authentication result confirmation response signaling replies to anauthentication result of a home domain, and the authentication resultindicates whether a user location spoofing attack occurs in theauthentication process. For example, the authentication resultconfirmation response signaling isNudm_UEAuthentication_ResultConfirmation Response signaling.

In this embodiment of this disclosure, physical-layer channelinformation is used as an authentication parameter and is integrated inan authentication process and a home domain control process, to becompatible with an existing mobile communication system.

The AUSF and the UDM in FIG. 15A and FIG. 15B are functional networkelements. An entity of the AUSF and an entity of the UDM may bedifferent communication apparatuses, an entity of the AUSF and an entityof the UDM may be a same communication apparatus (different from theaccess network device), or the AUSF, the UDM, and the access networkdevice may be a same communication apparatus.

In this embodiment of this disclosure, a channel estimation result (thatis, a channel authentication reference) is embodied in authenticationsignaling, and a home network (corresponding to the UDM) determines, byusing the channel authentication parameter, whether a source of theauthentication signaling is authorized, to successfully defend againsttransparent forwarding and location spoofing attacks. In addition, areference signal used for channel estimation is protected by using thepilot key, thereby defending against a channel manipulation attack.

The following describes a schematic diagram of a structure of acommunication apparatus for implementing the authentication method inthe foregoing embodiments. FIG. 16 is a schematic diagram of a structureof a communication apparatus according to an embodiment of thisdisclosure. The communication apparatus in FIG. 16 may be the terminaldevice in the foregoing embodiments. As shown in FIG. 16 , thecommunication apparatus 160 includes:

-   -   a transceiver module 1601, configured to receive a first        received encrypted reference signal, where the first received        encrypted reference signal includes a signal received by a        terminal device when a first sent encrypted reference signal        sent by an access network device is transmitted through a        channel, the first sent encrypted reference signal is obtained        by using a pilot key and a first reference signal, and the pilot        key is obtained by using a private key of the terminal device        and a public key on a network device side, or the pilot key is        obtained by using a private key on the network device side and a        public key of the terminal device; and    -   a processing module 1602, configured to perform channel        estimation by using the first received encrypted reference        signal and the first sent encrypted reference signal, to obtain        downlink channel state information, where    -   the transceiver module 1601 is further configured to send first        information to the access network device, where the first        information includes the downlink channel state information.

In a possible implementation, the processing module 1602 is furtherconfigured to: generate, when the terminal device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and generate, when the terminal device works in a secondsecurity mode, the first sent encrypted reference signal including ahash chain, where the hash chain includes at least two binary sequences,a first binary sequence in the hash chain is a second encryptedsequence, the second encrypted sequence is obtained by encrypting thefirst reference signal using the pilot key, and security of the firstsecurity mode is lower than security of the second security mode.

In a possible implementation, the processing module 1602 is furtherconfigured to: generate a shared key by using the private key of theterminal device and the public key on the network device side; perform aone-way hash operation on the shared key, to obtain the pilot key; andencrypt the first reference signal by using the pilot key, to obtain thefirst sent encrypted reference signal.

In a possible implementation, the transceiver module 1601 is furtherconfigured to receive first indication information, where the firstindication information indicates a location of the first receivedencrypted reference signal that is in second information and that is tobe received by the terminal device.

In a possible implementation, the processing module 1602 is specificallyconfigured to: perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain a downlink channel estimation value; and use firststrength characteristic information and first phase characteristicinformation that are extracted based on the downlink channel estimationvalue as the downlink channel state information.

In some embodiments, functions of the transceiver module 1601 and theprocessing module 1602 of the communication apparatus in FIG. 16 are asfollows:

The transceiver module 1601 is configured to send a first sent encryptedreference signal to a terminal device, where the first sent encryptedreference signal is obtained by using a pilot key and a first referencesignal, and the pilot key is obtained by using a private key of theterminal device and a public key on a network device side, or the pilotkey is obtained by using a private key on the network device side and apublic key of the terminal device;

-   -   the transceiver module 1601 is further configured to receive        first information from the terminal device, where the first        information includes downlink channel state information, the        downlink channel state information is obtained by performing        channel estimation by using a first received encrypted reference        signal and the first sent encrypted reference signal, and the        first received encrypted reference signal includes a signal        received by the terminal device when the first sent encrypted        reference signal sent by an access network device is transmitted        through a channel; and    -   the processing module 1602 is configured to generate channel        authentication information, where the channel authentication        information is for verifying whether a message received by the        access network device from the terminal device is valid or        invalid, and the channel authentication information is obtained        by using the downlink channel state information; and    -   the transceiver module 1601 is further configured to send the        channel authentication information to a first network device.

In a possible implementation, the processing module 1602 is furtherconfigured to perform channel estimation by using second receivedencrypted reference signal and second sent encrypted reference signal,to obtain uplink channel state information, where the second sentencrypted reference signal is obtained by using the pilot key and asecond reference signal, the second received encrypted reference signalincludes a signal received by the access network device when the secondsent encrypted reference signal sent by the terminal device istransmitted through a channel, and the second sent encrypted referencesignal is included in the first information; and generate the channelauthentication information based on the uplink channel state informationand the downlink channel state information.

FIG. 17 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure. Thecommunication apparatus in FIG. 17 may be the access network device inthe foregoing embodiments. As shown in FIG. 17 , the communicationapparatus 170 includes:

-   -   a transceiver module 1701, configured to receive a second        received encrypted reference signal, where the second received        encrypted reference signal includes a signal received by an        access network device when a second sent encrypted reference        signal sent by a terminal device is transmitted through a        channel, the second sent encrypted reference signal is obtained        by using a pilot key and a second reference signal, and the        pilot key is obtained by using a private key of the terminal        device and a public key on a network device side, or the pilot        key is obtained by using a private key on the network device        side and a public key of the terminal device; and    -   the processing module 1702 is configured to perform channel        estimation by using the second received encrypted reference        signal and the second sent encrypted reference signal, to obtain        uplink channel state information, where the uplink channel state        information is for generating channel authentication        information; and    -   the transceiver module 1701 is further configured to send the        channel authentication information to the first network device,        where the channel authentication parameter is for verifying        whether a message received by the access network device from the        terminal device is valid or invalid.

In a possible implementation, the transceiver module 1701 is furtherconfigured to receive the pilot key; or the processing module 1702 isfurther configured to perform a one-way hash operation on the shared keyreceived by the transceiver module to obtain the pilot key; and

-   -   the processing module 1702 is further configured to encrypt the        second reference signal by using the pilot key, to obtain the        second sent encrypted reference signal.

In a possible implementation, the processing module 1702 is specificallyconfigured to: derive the shared key by using the private key of theterminal device and the public key on the network device side; perform aone-way hash operation on the shared key, to obtain the pilot key; andencrypt the second reference signal by using the pilot key, to obtainthe second sent encrypted reference signal.

In a possible implementation, the processing module 1702 is furtherconfigured to demodulate first information based on the uplink channelstate information, to obtain downlink channel state information; andgenerate the channel authentication information based on the uplinkchannel state information and the downlink channel state information.

In a possible implementation, the transceiver module 1701 is furtherconfigured to send second information to the terminal device, where thesecond information includes a first sent encrypted reference signal, andthe first sent encrypted reference signal is obtained by using the pilotkey and a first reference signal.

In a possible implementation, the processing module 1702 is furtherconfigured to: generate, when the access network device works in a firstsecurity mode, the first sent encrypted reference signal including atleast two same first encrypted sequences, where the first encryptedsequence is obtained by encrypting the first reference signal using thepilot key; and generate, when the access network device works in asecond security mode, the first sent encrypted reference signalincluding a hash chain, where the hash chain includes at least twobinary sequences, a first binary sequence in the hash chain is a secondencrypted sequence, the second encrypted sequence is obtained byencrypting the first reference signal using the pilot key, and securityof the first security mode is lower than security of the second securitymode.

In a possible implementation, the transceiver module 1701 is furtherconfigured to receive second indication information, where the secondindication information indicates a location of the second receivedencrypted reference signal that is in first information and that is tobe received by the access network device.

In a possible implementation, the processing module 1702 is specificallyconfigured to: perform channel estimation by using the second receivedencrypted reference signal and the second sent encrypted referencesignal, to obtain an uplink channel estimation value; and use secondstrength characteristic information and second phase characteristicinformation that are extracted based on the uplink channel estimationvalue as the uplink channel state information.

In some embodiments, functions of the transceiver module 1701 and theprocessing module 1702 of the communication apparatus in FIG. 17 are asfollows:

a transceiver module 1701, configured to receive a first receivedencrypted reference signal, where the first received encrypted referencesignal includes a signal received by a terminal device when a first sentencrypted reference signal sent by an access network device istransmitted through a channel, the first sent encrypted reference signalis obtained by using a pilot key and a first reference signal, and thepilot key is obtained by using a private key of the terminal device anda public key on a network device side, or the pilot key is obtained byusing a private key on the network device side and a public key of theterminal device; and

-   -   the processing module 1702 is configured to generate first        information, where the first information includes a second sent        encrypted reference signal and downlink channel state        information, the second sent encrypted reference signal is        obtained by using the pilot key and a second reference signal,        and the downlink channel state information is obtained by using        the first received encrypted reference signal, where    -   the transceiver module 1701 is further configured to send the        first information to the access network device.

In a possible implementation, the processing module 1702 is furtherconfigured to perform channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain the downlink channel state information.

FIG. 18 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure. Thecommunication apparatus in FIG. 18 may be the first network device inthe foregoing embodiments. As shown in FIG. 18 , the communicationapparatus 180 includes:

-   -   a transceiver module 1801, configured to receive channel        authentication information, where the channel authentication        information represents a correlation between an uplink channel        estimated by an access network device and a downlink channel        estimated by a terminal device; and    -   a processing module 1802, configured to verify, based on the        channel authentication information, whether a message received        by the access network device from the terminal device is valid        or invalid.

In a possible implementation, the processing module 1802 is furtherconfigured to generate the shared key by using the public key of theterminal device and the private key on the network device side; and

-   -   the transceiver module 1801 is further configured to send the        shared key or a pilot key, where the pilot key is obtained by        performing a one-way hash operation on the shared key by the        processing module, and the pilot key or the shared key is used        by the access network device to generate the channel        authentication information.

FIG. 19 is a schematic diagram of a structure of another communicationapparatus according to an embodiment of this disclosure. Thecommunication apparatus in FIG. 19 may be the second network device inthe foregoing embodiments. As shown in FIG. 19 , the communicationapparatus 190 includes:

-   -   a transceiver module 1901, configured to send a public key of a        terminal device to a first network device, where the transceiver        module is further configured to receive a shared key or a pilot        key sent by the first network device, where the shared key is        obtained by using the public key of the terminal device and a        private key on a network device side, and the pilot key is        obtained by performing a one-way hash operation on the shared        key; and    -   a processing module 1902, configured to generate key information        that includes the shared key or the pilot key, where the        transceiver module is further configured to send the key        information.

In a possible implementation, the transceiver module 1901 is furtherconfigured to: receive channel authentication information from theaccess network device; and send the channel authentication informationto the first network device, where the channel authenticationinformation is for verifying whether a message received by the accessnetwork device from the terminal device is valid or invalid.

In a possible implementation, the transceiver module 1901 is furtherconfigured to: receive the public key of the terminal device; and sendthe public key of the terminal device to the first network device.

FIG. 20 is a schematic diagram of a structure of another communicationapparatus 200 according to an embodiment of this disclosure. Thecommunication apparatus in FIG. 20 may be the foregoing terminal device.The communication apparatus in FIG. 20 may be the foregoing accessnetwork device. The communication apparatus in FIG. 20 may be theforegoing first network device. The communication apparatus in FIG. 20may be the foregoing second network device.

As shown in FIG. 20 , the communication apparatus 200 includes at leastone processor 2020 and a transceiver 2010.

In some embodiments of this disclosure, the processor 2020 and thetransceiver 2010 may be configured to perform a function, an operation,or the like performed by the terminal device.

In some other embodiments of this disclosure, the processor 2020 and thetransceiver 2010 may be configured to perform a function, an operation,or the like performed by the access network device.

In some other embodiments of this disclosure, the processor 2020 and thetransceiver 2010 may be configured to perform a function, an operation,or the like performed by the first network device.

In some other embodiments of this disclosure, the processor 2020 and thetransceiver 2010 may be configured to perform a function, an operation,or the like performed by the second network device. The transceiver 2010is configured to communicate with another device/apparatus through atransmission medium. The processor 2020 sends and receives data and/orsignaling by using the transceiver 2010, and is configured to implementthe method in the foregoing method embodiments. The processor 2020 mayimplement a function of the processing module 1602, and the transceiver2010 may implement a function of the transceiver module 1601.Alternatively, the processor 2020 may implement a function of theprocessing module 1702, and the transceiver 2010 may implement afunction of the transceiver module 1701. Alternatively, the processor2020 may implement a function of the processing module 1802, and thetransceiver 2010 may implement a function of the transceiver module1801. Alternatively, the processor 2020 may implement a function of theprocessing module 1902, and the transceiver 2010 may implement afunction of the transceiver module 1901.

Optionally, the communication apparatus 200 may further include at leastone memory 2030, configured to store program instructions and/or data.The memory 2030 is coupled to the processor 2020. The coupling in thisembodiment of this disclosure may be indirect coupling or acommunication connection between apparatuses, units, or modules in anelectrical form, a mechanical form, or another form, and is used forinformation exchange between the apparatuses, the units, or the modules.The processor 2020 may work with the memory 2030. The processor 2020 mayexecute the program instructions stored in the memory 2030. At least oneof the at least one memory may be included in a processor.

A specific connection medium between the transceiver 2010, the processor2020, and the memory 2030 is not limited in this embodiment of thisdisclosure. In this embodiment of this disclosure, the memory 2030, theprocessor 2020, and the transceiver 2010 are connected by using a bus2040 in FIG. 20 . The bus is represented by using a thick line in FIG.20 . A manner of connecting other components is merely an example fordescription, and is not limited thereto. The bus may be classified intoan address bus, a data bus, a control bus, and the like. For ease ofrepresentation, only one thick line represents the bus in FIG. 20 , butthis does not mean that there is only one bus or only one type of bus.

In this embodiment of this disclosure, the processor may be ageneral-purpose processor, a digital signal processor, anapplication-specific integrated circuit, a field programmable gate arrayor another programmable logic device, a discrete gate or transistorlogic device, or a discrete hardware component. The processor canimplement or execute the methods, steps, and logical block diagramsdisclosed in embodiments of this disclosure. The general-purposeprocessor may be a microprocessor, any conventional processor, or thelike. The steps of the methods disclosed with reference to embodimentsof this disclosure may be directly performed and completed by a hardwareprocessor, or may be performed and completed by using a combination ofhardware and software modules in the processor.

FIG. 21 is a schematic diagram of a structure of another communicationapparatus 210 according to an embodiment of this disclosure. As shown inFIG. 21 , the communication apparatus shown in FIG. 21 includes a logiccircuit 2101 and an interface 2102. The processing module in FIG. 16 toFIG. 19 may be implemented by using the logic circuit 2101, and thetransceiver module in FIG. 16 to FIG. 19 may be implemented by using theinterface 2102. The logic circuit 2101 may be a chip, a processingcircuit, an integrated circuit, a system-on-chip (system on chip, SoC),or the like, and the interface 2102 may be a communication interface, aninput/output interface, or the like. In this embodiment of thisdisclosure, the logic circuit may be further coupled to the interface. Aspecific connection manner of the logic circuit and the interface is notlimited in this embodiment of this disclosure.

In some embodiments of this disclosure, the logic circuit and theinterface may be configured to perform a function, an operation, or thelike performed by the terminal device.

In some other embodiments of this disclosure, the logic circuit and theinterface may be configured to perform a function, an operation, or thelike performed by the access network device.

In some embodiments of this disclosure, the logic circuit and theinterface may be configured to perform a function, an operation, or thelike performed by the first network device.

In some embodiments of this disclosure, the logic circuit and theinterface may be configured to perform a function, an operation, or thelike performed by the second network device.

This disclosure further provides a computer-readable storage medium. Thecomputer-readable storage medium stores computer code. When the computercode runs on a computer, the computer is enabled to perform the methodin the foregoing embodiments.

This disclosure further provides a computer program product. Thecomputer program product includes computer code or a computer program.When the computer code or the computer program runs on a computer, theauthentication method in the foregoing embodiments is performed.

This disclosure further provides a communication system, including theforegoing terminal device and the foregoing access network device. Thecommunication system may further include the foregoing first networkdevice and the foregoing second network device.

The foregoing descriptions are merely specific implementations of thisdisclosure, but are not intended to limit the protection scope of thisdisclosure. Any variation or replacement readily figured out by a personskilled in the art within the technical scope disclosed in thisdisclosure shall fall within the protection scope of this disclosure.Therefore, the protection scope of this disclosure shall be subject tothe protection scope of the claims.

What is claimed is:
 1. An authentication method, comprising: receiving,by a terminal device, a first received encrypted reference signalcorresponding to a first sent encrypted reference signal that isgenerated by an access network device using a pilot key and a firstreference signal and is transmitted through a channel; performing, bythe terminal device, channel estimation by using the first receivedencrypted reference signal and the first sent encrypted referencesignal, to obtain downlink channel state information; and sending, bythe terminal device to the access network device, first informationincluding the downlink channel state information.
 2. The method of claim1, wherein the first sent encrypted reference signal comprises at leasttwo same first encrypted sequences each obtained by encrypting the firstreference signal using the pilot key.
 3. The method of claim 1, whereinthe first sent encrypted reference signal comprises a hash chain havingat least two binary sequences, the at least two binary sequencesincluding an encrypted sequence obtained by encrypting the firstreference signal using the pilot key.
 4. The method of claim 1, whereinthe pilot key is obtained by performing a one-way hash operation on ashared key, wherein the shared key is obtained by using a private key ofthe terminal device and a public key on a network device side, or theshared key is obtained by using a private key on the network device sideand a public key of the terminal device.
 5. The method of claim 1,wherein the first information further comprises a second sent encryptedreference signal obtained by using the pilot key and a second referencesignal.
 6. The method of claim 1, before the performing the channelestimation, the method further comprising: generating, by the terminaldevice, the first sent encrypted reference signal using the pilot keyand the first reference signal.
 7. An apparatus, comprising: aprocessor, and a non-transitory memory storing program instructionsthat, when executed by the processor, cause the apparatus to perform theoperations: receiving, from a terminal device, a second receivedencrypted reference signal corresponding to a second sent encryptedreference signal that is generated by the terminal device using a pilotkey and a second reference signal and transmitted through a channel;performing channel estimation by using the second received encryptedreference signal and the second sent encrypted reference signal, toobtain uplink channel state information; generating channelauthentication information by using the uplink channel stateinformation, the channel authentication information for verifyingwhether a message received by the access network device from theterminal device is valid or invalid; and sending the channelauthentication information to a first network device.
 8. The apparatusof claim 7, wherein the second sent encrypted reference signal comprisesat least two same third encrypted sequences each obtained by encryptingthe second reference signal by using the pilot key.
 9. The apparatus ofclaim 7, wherein the second sent encrypted reference signal comprises ahash chain having at least two binary sequences including an encryptedsequence obtained by encrypting the second reference signal using thepilot key.
 10. The apparatus of claim 7, wherein the pilot key isobtained by performing a one-way hash operation on a shared key, whereinthe shared key is obtained by using a private key on a network deviceside and a public key of the terminal device, or the shared key isobtained by using a public key on the network device side and a privatekey of the terminal device.
 11. The apparatus of claim 7, wherein beforethe sending the channel authentication information, the programinstructions further cause the apparatus to perform the operations:demodulating, based on the uplink channel state information, firstinformation from the terminal device, to obtain downlink channel stateinformation; and generating channel authentication information based onthe uplink channel state information and the downlink channel stateinformation.
 12. The apparatus of claim 7, wherein the programinstructions further cause the apparatus to perform the operations:sending, to the terminal device, a first sent encrypted reference signalobtained by using the pilot key and a first reference signal; receiving,from the terminal device, downlink channel state information that isgenerated by the terminal device in response to the first sent encryptedreference signal; and generating a channel authentication parameter inaccordance with the downlink channel state information and the uplinkchannel state information, the channel authentication parametercorresponding to the channel authentication information.
 13. Theapparatus of claim 12, wherein the channel authentication informationcomprises the channel authentication parameter.
 14. The apparatus ofclaim 7, wherein the program instructions further cause the apparatus toperform the operations: generating the second sent encrypted referencesignal using the pilot key and the second reference signal.
 15. Anapparatus, comprising: a processor, and a non-transitory memory storingprogram instructions that, when executed by the processor, cause theapparatus to perform the operations: receiving, from an access networkdevice, a first received encrypted reference signal corresponding to afirst sent encrypted reference signal that is generated by the accessnetwork device using a pilot key and a first reference signal and istransmitted through a channel; performing channel estimation by usingthe first received encrypted reference signal and the first sentencrypted reference signal, to obtain downlink channel stateinformation; and sending, to the access network device, firstinformation including the downlink channel state information.
 16. Theapparatus of claim 15, wherein the first sent encrypted reference signalcomprises at least two same first encrypted sequences each obtained byencrypting the first reference signal using the pilot key.
 17. Theapparatus of claim 15, wherein the first sent encrypted reference signalcomprises a hash chain having at least two binary sequences, the atleast two binary sequences including an encrypted sequence obtained byencrypting the first reference signal using the pilot key.
 18. Theapparatus of claim 15, wherein the pilot key is obtained by performing aone-way hash operation on a shared key, wherein the shared key isobtained by using a private key of the terminal device and a public keyon a network device side, or the shared key is obtained by using aprivate key on the network device side and a public key of the terminaldevice.
 19. The apparatus of claim 15, wherein the first informationfurther comprises a second sent encrypted reference signal obtained byusing the pilot key and a second reference signal.
 20. The apparatus ofclaim 15, wherein the program instructions further cause the apparatusto perform the operations: generating the first sent encrypted referencesignal using the pilot key and the first reference signal.